USADOTGOV.NET Root Problems?
Warren Kumari
warren at kumari.net
Sun Jul 25 09:22:46 UTC 2010
On Jul 25, 2010, at 4:33 AM, Danny Mayer wrote:
> On 7/24/2010 5:10 AM, Warren Kumari wrote:
>>
>> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
>>
>>> On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
>>>> Thanks for the confirmation that the problem was related to DNSSEC.
>>>>
>>>> I didn't see your message until I got home from work; however, I did
>>>> find the root of the problem late this afternoon. At each of our
>>>> Internet egress and ingress points, we have Cisco ASA devices sitting in
>>>> front of a pair of redundant firewalls. Each ASA is configured with the
>>>> default DNS inspect policy that doesn't accept fragmented UDP packets.
>>>
>>> Why would any inspection policy not allow fragmented UDP packets?
>>> There's nothing wrong with that.
>>
>>
>> Because it's "hard".... The issue is that then you need to buffer
> fragments until you get a full packet -- which leaves you open to
> attacks that send a bunch of fragments but leave one of them out.
>>
>> Vendors like to avoid reassembling fragments by default, because it
> makes their performance numbers better....
>
> At the expense of correct behavior and loss of real performance.
Yes.
Sorry, if I gave the impression that I was condoning this -- I'm not.
Vendors exist to sell boxen -- tuning for the test cases at the expense of correctness often wins....
W
>
> Danny
More information about the bind-users
mailing list