[nsd-users] Possible fragmentation issue transferring larger zones over IPv6?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Apr 8 07:26:23 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Darren,

On 03/30/2014 08:31 PM, Darren Pilgrim wrote:
> On 3/30/2014 9:24 AM, Anand Buddhdev wrote:
>> On 29/03/2014 22:37, Darren Pilgrim wrote:
>> 
>>> I'm not sure how to document this other than showing you the
>>> "operation timed out: tcp" log entries and zonestatus output
>>> that shows the slaves are not getting the zone.
>> 
>> If NSD is emitting packets that are bigger than the IPv6 path MTU
>> to the slave, then a device along the path will send back an ICMP
>> message asking the source to fragment. If this ICMP message never
>> reaches the master, it won't know that it needs to fragment the
>> packets, and will keep sending bigger packets, and result in a
>> timeout.
>> 
>> On the master, run tcpdump, and then send out large packets to
>> the slave (ping6 will do) and see if you're getting back the
>> relevant ICMP message, and whether the network stack on the
>> master is adapting itself to such a notificaiton.
> 
> It looks like something mid-path in the master's ISP that's
> breaking PMTU.  I can get large pings between the slaves, but I can
> only get large pings a few steps through the master's ISP.  I was
> really hoping it was something dumb like I had left the fragment
> rules out of my rulesets.

But NSD uses TCP for zone transfers?  I thought that PMTU discovery
does not really apply to TCP?  NSD is unable to create a TCP stream
and send more than one data-packet worth of data on it?  And you
report that NSD reports a timeout when that happens - like no more
packets are arriving.  Some sort of stateful firewall that has a state
problem?

Best regards, Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTQ6SfAAoJEJ9vHC1+BF+NSXwQAJl+d6OAZTYhTBqyC9wbifYO
vn5bXj4b+2ttzixZxdRpinezPlmtOrFqYX8Hz/cTi3azaOfDS1sT8pZGQ2FhQpVy
CPPCPqf1moN+lMGluSWRv7NHDxOzQpsAV4ljBK9YW14xFLLpYaEHxADwAIAmt76t
EeLFjOvyIWWGKc3p14e5gBFQLjYz3qFwCuoWYOB2Gqv6lpHM2Hcrct6hTwDQV/7k
wyymGAZxM90rh6s9klv6PpDPGnsS6ylP4g7qoNE4BVcUj5X6NedL0uWvL4+m2e1n
sXmjcJNDvPiUeykz9jWYt1V1nj4cJoHqXGiTJY33QGw6wcdGF/lE6M4cBpTUo+L8
+3C4PMIRF7RSEQ1VH4f+xE4VbN2Viec+dG7YS5U7ehVuKJh0VFch10UtclU6VAvE
PibKL3UWe+3gxb2c2dFfCsv1NuB05aQNQHtg0BIwqSF9DeYH7MKwl1hpjG4EPtdv
m9BVMa41OVGAtgTTufPw/OfQDBOmFSdBruNSlE20zSrUp9YIXr7TpOHynWGBwV5U
YxFpLFg6658rLk8qcuBBuZOzOVlay28qcTyYObPhmpVMfdHfmgKFK6h5yrIwYl0p
qfUQBSJpA0Yt9/umlnLSJiH12+Bum/aGqXS+i2HzThrsiI3QtfjMdS1tfH8AQ0RH
pOnc9raRMj2mkN3oFuXf
=JcGh
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list