BIND 9.10 IPv6 Fragmentation when doing Zone Transfers (AXFR)

jdmulloy · Jul 19, 2016

I have two BIND 9.10 servers set up with one as a master and the other as a slave. The master is in a jail on a FreeBSD 10.3 VM on Vultr and the slave is in a jail on a FreeBSD 10.3 VM on Digital Ocean. When I tried to switch them to doing Zone Transfers over IPv6 instead of IPv4 it stopped working. Turns out PF was dropping the fragmented packets. I'm trying to figure out why the packets are getting fragmented in the first place. I also have nginx running in a different jail on the same VM as the master and downloading a large file does not cause any IPv6 fragmentation.

To see if the issue is caused by PF I created some other VMs without any firewalling turned on and setup BIND as a master. Even without PF turned on I still get fragmentation. I also created a FreeBSD 11 Beta VM as the BIND master to see if something had been fixed between 10 and 11 and I still see this issue. With an Ubuntu 16.04 VM acting as the master I do not get fragmented packets. I've used dig on the existing slave FreeBSD 10.3 VM to request axfr's from the different master VMs I've setup. I've seen no fragmentation on IPv4.

Perhaps there is some configuration in named.conf that I could do to fix this, although I can't find anything.

tcpdump output showing fragmentation

Code:

[NOPARSE]
root@vps-do-1:~ # tcpdump -vvv host 2001:19f0:5:5d:5400:ff:fe2d:9358

tcpdump: listening on vtnet0, link-type EN10MB (Ethernet), capture size 65535 bytes

19:57:55.268641 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 40) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags , cksum 0x3083 (incorrect -> 0x3721), seq 3691768902, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 82013083 ecr 0], length 0

19:57:55.345449 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 40) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [S.], cksum 0x425e (correct), seq 1510577645, ack 3691768903, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 172096121 ecr 82013083], length 0

19:57:55.345507 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [.], cksum 0x307b (incorrect -> 0x6cc5), seq 1, ack 1, win 1026, options [nop,nop,TS val 82013161 ecr 172096121], length 0

19:57:55.345652 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 75) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [P.], cksum 0x30a6 (incorrect -> 0xe817), seq 1:44, ack 1, win 1026, options [nop,nop,TS val 82013161 ecr 172096121], length 4349659 [1au] AXFR? jdmulloy.com. ar: . OPT UDPsize=4096 (41)

19:57:55.423160 IP6 (flowlabel 0x995ed, hlim 50, next-header Fragment (44) payload length: 1240) 2001:19f0:5:5d:5400:ff:fe2d:9358 > vps-do-1.jdmulloy.com: frag (0x304490cb:0|1232) domain > 42905: Flags [P.], seq 1:1201, ack 44, win 1026, options [nop,nop,TS val 172096198 ecr 82013161], length 120049659*- q: AXFR? jdmulloy.com. 43/0/1 jdmulloy.com. [1m] SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60, jdmulloy.com. [1m] TXT "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all", jdmulloy.com. [1m] SPF, jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, jdmulloy.com. [1m] NS ns1.jdmulloy.com., jdmulloy.com. [1m] NS ns2.jdmulloy.com., jdmulloy.com. [1m] MX mail.vps-vu-1.jdmulloy.com. 10, jdmulloy.com. [1m] MX mail.vps-do-sfo2-float-1.jdmulloy.com. 20, jdmulloy.com. [1m] A 45.63.5.150, _dmarc.jdmulloy.com. [1m] TXT "v=DMARC1; p=none; rua=mailto:admin@mulloy.me; ruf=mailto:admin@mulloy.me", ns1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::2, ns1.jdmulloy.com. [1m] A 45.63.5.150, ns2.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4002, ns2.jdmulloy.com. [1m] A 138.68.36.47, test.jdmulloy.com. [1m] A 45.63.5.150, test.jdmulloy.com. [1m] A 138.68.36.47, vps.jdmulloy.com. [1m] CNAME vps-vu-1.jdmulloy.com., vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4001, vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, mail.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4003, mail.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, nagios.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4005, nagios.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, ns.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4002, ns.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, web.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4004, web.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, vps-do-sfo2-float-1.jdmulloy.com. [1m] A 138.68.36.47, mail.vps-do-sfo2-float-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4003, mail.vps-do-sfo2-float-1.jdmulloy.com. [1m] A 138.68.36.47, vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::1, vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, mail.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::3, mail.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, nagios.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::5, nagios.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, ns.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::2, ns.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, web.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, web.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, www.jdmulloy.com. [1m] A 45.63.5.150, www.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, jdmulloy.com.[|domain]

19:57:55.423208 IP6 (flowlabel 0x995ed, hlim 50, next-header Fragment (44) payload length: 45) 2001:19f0:5:5d:5400:ff:fe2d:9358 > vps-do-1.jdmulloy.com: frag (0x304490cb:1232|37)

19:57:55.427775 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [F.], cksum 0x307b (incorrect -> 0x6726), seq 44, ack 1238, win 1026, options [nop,nop,TS val 82013242 ecr 172096198], length 0

19:57:55.504276 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 32) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [.], cksum 0x66d4 (correct), seq 1238, ack 45, win 1026, options [nop,nop,TS val 172096280 ecr 82013242], length 0

19:57:55.504417 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 32) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [F.], cksum 0x66d3 (correct), seq 1238, ack 45, win 1026, options [nop,nop,TS val 172096280 ecr 82013242], length 0

19:57:55.504458 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [.], cksum 0x307b (incorrect -> 0x6685), seq 45, ack 1239, win 1026, options [nop,nop,TS val 82013320 ecr 172096280], length 0
[/NOPARSE]

Dig command run on slave VM

Code:

[NOPARSE] root@vps-do-1:~ # dig axfr +tcp @2001:19f0:5:5d:5400:ff:fe2d:9358 jdmulloy.com ; <<>> DiG 9.10.4-P1 <<>> axfr +tcp @2001:19f0:5:5d:5400:ff:fe2d:9358 jdmulloy.com ; (1 server found) ;; global options: +cmd jdmulloy.com. 60 IN SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60 jdmulloy.com. 60 IN TXT "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all" jdmulloy.com. 60 IN SPF "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all" jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4 jdmulloy.com. 60 IN NS ns1.jdmulloy.com. jdmulloy.com. 60 IN NS ns2.jdmulloy.com. jdmulloy.com. 60 IN MX 10 mail.vps-vu-1.jdmulloy.com. jdmulloy.com. 60 IN MX 20 mail.vps-do-sfo2-float-1.jdmulloy.com. jdmulloy.com. 60 IN A 45.63.5.150 _dmarc.jdmulloy.com. 60 IN TXT "v=DMARC1; p=none; rua=mailto:admin@mulloy.me; ruf=mailto:admin@mulloy.me" ns1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::2 ns1.jdmulloy.com. 60 IN A 45.63.5.150 ns2.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4002 ns2.jdmulloy.com. 60 IN A 138.68.36.47 test.jdmulloy.com. 60 IN A 45.63.5.150 test.jdmulloy.com. 60 IN A 138.68.36.47 vps.jdmulloy.com. 60 IN CNAME vps-vu-1.jdmulloy.com. vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4001 vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44 mail.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4003 mail.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44 nagios.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4005 nagios.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44 ns.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4002 ns.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44 web.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4004 web.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44 vps-do-sfo2-float-1.jdmulloy.com. 60 IN A 138.68.36.47 mail.vps-do-sfo2-float-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4003 mail.vps-do-sfo2-float-1.jdmulloy.com. 60 IN A 138.68.36.47 vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::1 vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150 mail.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::3 mail.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150 nagios.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::5 nagios.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150 ns.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::2 ns.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150 web.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4 web.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150 www.jdmulloy.com. 60 IN A 45.63.5.150 www.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4 jdmulloy.com. 60 IN SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60 ;; Query time: 77 msec ;; SERVER: 2001:19f0:5:5d:5400:ff:fe2d:9358#53(2001:19f0:5:5d:5400:ff:fe2d:9358) ;; WHEN: Tue Jul 19 19:57:55 UTC 2016 ;; XFR size: 43 records (messages 1, bytes 1235) [/NOPARSE]