dnssec question. confused.

Joseph Karpenko karpenko at cisco.com
Thu Sep 29 21:59:09 UTC 2011 

Just an FYI - This is no longer the case for ASA/PIX after the
commit of CSCta35563 - which went into the codebase in 2009.11.

After the above commit, "the default" has been changed.  Non-EDNS
replies will still have the message length set to 512.  But EDNS
replies will use the advertised buffer size value specified by the
requester in the OPT pseudo-RR.

The command "message-length maximum client auto" was added to
version 7.2.1 via the introduction of AIC inspection for DNS.
However, when introduced if multiple maximum lengths were specified,
like:

!
policy-map type inspect dns preset_dns_map
    parameters
        message-length maximum client auto
        message-length maximum 512
!

Then the lesser of the two (typically 512 in the DNSSEC case) would
be selected.

With the fix for CSCta35563, we first check if the OPT pseudo-RR is
present in a query request, and if so, that buffer size value is
used.  Otherwise, we fallback to using the global value of 512.

In summary, customers running a version with the fix for CSCta35563
will work fine if they have the following configured:

Versions with fix for CSCta35563:
---------------------------------
!
policy-map type inspect dns preset_dns_map
    parameters
        message-length maximum client auto
        message-length maximum 512
!

Customers running a version prior to the fix for CSCta35563 will
need to increase the global message-length maximum to 4096, until
they upgrade to a version with the fix.

Versions without fix for CSCta35563:
------------------------------------
!
policy-map type inspect dns preset_dns_map
    parameters
        message-length maximum 4096
!


regards,

-- 

/karpenko

On 2011.09.28-12:47:53 -0700, michoski <michoski at cisco.com> wrote:
> Date: Wed, 28 Sep 2011 12:47:53 -0700
> From: michoski <michoski at cisco.com>
> To: Steve Arntzen <isc at arntzen.us>, bind-users at lists.isc.org
> Subject: Re: dnssec question. confused.
> 
> On 9/28/11 5:32 AM, "Steve Arntzen" <isc at arntzen.us> wrote:
>> Is your firewall Cisco based?
>> 
>> There is a known "default" setting in Cisco with respect to
>> packet size for DNS.  Our network guys run into this anytime they
>> do an upgrade, etc. and have to go in and update the setting.
> 
> This bit me the first time I managed a PIX years ago (though, in
> fairness, even then it was well documented on Cisco's site...I
> just had to read logs and search), and now continues on the ASA it
> seems...  Once it's understood, it really shouldn't bite again:
> 
> https://supportforums.cisco.com/thread/2013390
> 
> -- 
> By nature, men are nearly alike;
> by practice, they get to be wide apart.
>         -- Confucius
> 
> [   --------------- End of Included Message ---------------   ]

More information about the bind-users mailing list