On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: > On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: >> Thanks for the confirmation that the problem was related to DNSSEC. >> >> I didn't see your message until I got home from work; however, I did >> find the root of the problem late this afternoon. At each of our >> Internet egress and ingress points, we have Cisco ASA devices sitting in >> front of a pair of redundant firewalls. Each ASA is configured with the >> default DNS inspect policy that doesn't accept fragmented UDP packets. > > Why would any inspection policy not allow fragmented UDP packets? > There's nothing wrong with that.
Because it's "hard".... The issue is that then you need to buffer fragments until you get a full packet -- which leaves you open to attacks that send a bunch of fragments but leave one of them out. Vendors like to avoid reassembling fragments by default, because it makes their performance numbers better.... W > > Danny > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
