On 2016-06-11 Daryl F wrote:
On Thu, 21 Apr 2016, Trevor Cordes wrote:
The problem: IPv6! Argh!
Is there a firewall blocking *TCP* port 53? With DNSSEC and IPv6 we will see more DNS responses that are too big to send over UDP.
Since this would be outgoing we're talking about, nope my firewalls do not block tcp p53 in IPv4, as I'm pretty open about chain OUTPUT (but not FORWARD).
I discussed the issue further with a group of MUUG guys at a meeting and almost definitely we believe (haven't tested yet) the problem was two things: 1) I dropped all IPv6 2) I *dropped*, not *rejected*, all IPv6
We believe that both have to hold, hence why not many people hit this bug, as many people (and most stock routers) would default reject (iptables ... -j REJECT) which *probably* will tell BIND to immediately give up on 6 and try 4, mitigating the bug. That's the theory anyhow.
I'll test it one of these days...