[Unbound-users] Linux kernel 2.6.18 and ipv6, and, Solaris and libevent
Paul Wouters
paul at xelerance.com
Tue May 18 16:11:55 UTC 2010
On Tue, 18 May 2010, W.C.A. Wijngaards wrote:
> On Linux, if you use kernel 1.6.18 (a little older but found in 'stable'
> distros, such as RHEL 5.5), and use ip6tables, then there is trouble
> with unbound (and other IPv6 related troubles). What is the issue is
> that UDP fragmentation stops working (also for IPv4), making unbound if
> it is DNSSEC validating unable to fetch whole responses for some
> queries. This would also affect other DNSSEC implementations. The fix
> is to upgrade to a newer kernel. You can detect this issue with
> unbound-host -t TXT rs.dns-oarc.net which drops from 4k to 1435 bytes
> after enabling ip6tables.
I wonder if this is related to:
Sat May 05 2007 Don Zickus <dzickus at redhat dot com> [2.6.18-18.el5]
- [net] IPv6 fragments bypass in nf_conntrack netfilter code (Thomas Graf ) [234288] {CVE-2007-1497}
I'll see if I can do a test with the previous kernel and 2.6.18-18
Though you say it also impacts ipv4 fragments when starting ip6tables
right?
Paul
More information about the Unbound-users
mailing list