USADOTGOV.NET Root Problems?
Danny Mayer
mayer at gis.net
Sun Jul 25 02:33:46 UTC 2010
On 7/24/2010 5:10 AM, Warren Kumari wrote:
>
> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
>
>> On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
>>> Thanks for the confirmation that the problem was related to DNSSEC.
>>>
>>> I didn't see your message until I got home from work; however, I did
>>> find the root of the problem late this afternoon. At each of our
>>> Internet egress and ingress points, we have Cisco ASA devices sitting in
>>> front of a pair of redundant firewalls. Each ASA is configured with the
>>> default DNS inspect policy that doesn't accept fragmented UDP packets.
>>
>> Why would any inspection policy not allow fragmented UDP packets?
>> There's nothing wrong with that.
>
>
> Because it's "hard".... The issue is that then you need to buffer
fragments until you get a full packet -- which leaves you open to
attacks that send a bunch of fragments but leave one of them out.
>
> Vendors like to avoid reassembling fragments by default, because it
makes their performance numbers better....
At the expense of correct behavior and loss of real performance.
Danny
More information about the bind-users
mailing list