From a77b2c4f0f3d095a536ea2304da4078f7c5c63d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 18:44:17 +0200 Subject: [PATCH] unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. --- group_vars/all/vars.yml | 2 ++ .../templates/dhcp/dhcpd.conf.j2 | 3 +-- roles/unbound/templates/recursive.conf.j2 | 25 +++++++------------ 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index be601da..6a0b66b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,3 +49,5 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + +mtu: 1400 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f0a35fe..dc642ae 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -5,8 +5,7 @@ max-lease-time 86400; # Option definitions common to all supported networks. -# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). -option interface-mtu 1400; +option interface-mtu {{ mtu }}; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 0ba6f5b..62c93be 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,26 +30,19 @@ server: private-address: 10.0.0.0/8 - # XXX - # We've been having issues with bogus DNSSEC responses, and unintended - # blacklisting of nameservers because of that. - # The following is intended as a stopgap solution. - # - # unbound had issues with auro.re's DS records, apparently; - # it kept receiving an error, which subsequently caused a blacklisting - # of relevant servers and an inability to resolve auro.re and its - # subdomains. - # - # auro.re does not have DNSSEC anyway, so we can treat it as insecure. - domain-insecure: "auro.re" - - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 - harden-dnssec-stripped: no - disable-dnssec-lame-check: yes + # The following is vital, we were having issues + # with DNSSEC that turned out to be due to UDP responses that were too + # large. + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + edns-buffer-size: {{ mtu }} + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + max-udp-size: {{ mtu }}