dnssec question. confused.
Joseph Karpenko
karpenko at cisco.com
Thu Sep 29 21:59:09 UTC 2011
Just an FYI - This is no longer the case for ASA/PIX after the
commit of CSCta35563 - which went into the codebase in 2009.11.
After the above commit, "the default" has been changed. Non-EDNS
replies will still have the message length set to 512. But EDNS
replies will use the advertised buffer size value specified by the
requester in the OPT pseudo-RR.
The command "message-length maximum client auto" was added to
version 7.2.1 via the introduction of AIC inspection for DNS.
However, when introduced if multiple maximum lengths were specified,
like:
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
Then the lesser of the two (typically 512 in the DNSSEC case) would
be selected.
With the fix for CSCta35563, we first check if the OPT pseudo-RR is
present in a query request, and if so, that buffer size value is
used. Otherwise, we fallback to using the global value of 512.
In summary, customers running a version with the fix for CSCta35563
will work fine if they have the following configured:
Versions with fix for CSCta35563:
---------------------------------
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
Customers running a version prior to the fix for CSCta35563 will
need to increase the global message-length maximum to 4096, until
they upgrade to a version with the fix.
Versions without fix for CSCta35563:
------------------------------------
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
!
regards,
--
/karpenko
On 2011.09.28-12:47:53 -0700, michoski <michoski at cisco.com> wrote:
> Date: Wed, 28 Sep 2011 12:47:53 -0700
> From: michoski <michoski at cisco.com>
> To: Steve Arntzen <isc at arntzen.us>, bind-users at lists.isc.org
> Subject: Re: dnssec question. confused.
>
> On 9/28/11 5:32 AM, "Steve Arntzen" <isc at arntzen.us> wrote:
>> Is your firewall Cisco based?
>>
>> There is a known "default" setting in Cisco with respect to
>> packet size for DNS. Our network guys run into this anytime they
>> do an upgrade, etc. and have to go in and update the setting.
>
> This bit me the first time I managed a PIX years ago (though, in
> fairness, even then it was well documented on Cisco's site...I
> just had to read logs and search), and now continues on the ASA it
> seems... Once it's understood, it really shouldn't bite again:
>
> https://supportforums.cisco.com/thread/2013390
>
> --
> By nature, men are nearly alike;
> by practice, they get to be wide apart.
> -- Confucius
>
> [ --------------- End of Included Message --------------- ]
More information about the bind-users
mailing list