On 07/23/10 05:37, Danny Mayer wrote:
On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
Thanks for the confirmation that the problem was related to DNSSEC.
I didn't see your message until I got home from work; however, I did
find the root of the problem late this afternoon. At each of our
Internet egress and ingress points, we have Cisco ASA devices sitting in
front of a pair of redundant firewalls. Each ASA is configured with the
default DNS inspect policy that doesn't accept fragmented UDP packets.
Why would any inspection policy not allow fragmented UDP packets?
There's nothing wrong with that.
Because the default DNS inspection policy for most Cisco
ASAs/FWSMs/PIXes is brain-dead. It is on by default and, in older
versions, only allows DNS messages up to 512 bytes in length. In some
later versions it allows something larger (1024 or 1500?), but basically
makes no exceptions for EDNS0 and UDP fragments.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
