dnssec question. confused.
Brad Bendily
Brad.Bendily at LA.GOV
Wed Sep 28 20:20:19 UTC 2011
> On 9/28/11 5:32 AM, "Steve Arntzen" <isc at arntzen.us> wrote:
> > Is your firewall Cisco based?
Yes. The firewall is Cisco based.
However, the main problem there is, there are several firewalls before
leaving our network and my dept doesn't manage all of them.
> > There is a known "default" setting in Cisco with respect to packet
> > size for DNS. Our network guys run into this anytime they do an
> > upgrade, etc. and have to go in and update the setting.
>
> This bit me the first time I managed a PIX years ago (though,
> in fairness, even then it was well documented on Cisco's
> site...I just had to read logs and search), and now continues
> on the ASA it seems... Once it's understood, it really
> shouldn't bite again:
>
> https://supportforums.cisco.com/thread/2013390
I have read this site before and I'm told the settings are there on
at least two of the firewalls, but yet we still have problems.
I think the problem is a combination of the fixup or policy-map settings
and ip fragmentation. I based this conclusion on details from this thread:
https://lists.dns-oarc.net/pipermail/dns-operations/2011-February/006896.html
I think there is some fragment IP settings on firewalls in between which
are causing problems.
Using Mark's test of:
dig edns-v4-ok.isc.org txt
I can't get a reply at all from this query.
I'm waiting to discuss this with the network guy and see if we can get all
the firewalls up the chain updated.
I will let everyone know how it goes.
Thanks for the assistance.
bb
More information about the bind-users
mailing list