Hi Misc,
I have been a double as a system admin for our small university research
group for a number of years now but every now and then I get reminded of
my own ignorance. One of those moments happened a month and a half ago
when pkg management tools stopped working on all my FreeBSD file servers
and jail hosts. After waisting an hour, I got to the bottom of my
problem. Namely, my caching DNS Unbound resolvers (obviously running of
OpenBSD) which also serve my LAN and DMZ authoritatively could no longer
resolve
pkg.freebsd.org.
After waisting another hour it became clear that authoritative DNS for
pkg.freebsd.org no longer was serving using UDP protocol and was
expecting my DNS resolver to use TCP instead of UDP for name queries.
For number of years I had in my /var/unbound/etc/unbound.conf line
do-tcp: no
even though I was aware that OpenBSD 6.7 is shipped with
do-tcp: yes
To make things worse I was blocking port TCP port 53.
I am not much of a DNS expert but I was under impression that TCP was
only used for publishing record sets larger than 512 bytes. However, it
appears that I am mistaken.
https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp
That is not just a random garbage thread. The person whose answer was
accepted claims to be the author of RFC 5966. There is another
interesting post getting a lot of thumbs downs who is bringing back some
of old fights started by Daniel Bernstein.
There is a second less illuminating thread
https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp
According to above threads it appears that DNSSEC validation requires
TCP port 53 and do-tcp: yes to work properly.
Could a kind soul who runs DNS for living point me to the documentation
which I can use to educate myself.
Most Kind Regards,
Predrag Punosevac
