On Sat, 24 Jul 2010, Warren Kumari wrote:
On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
Thanks for the confirmation that the problem was related to DNSSEC.
I didn't see your message until I got home from work; however, I did
find the root of the problem late this afternoon. At each of our
Internet egress and ingress points, we have Cisco ASA devices sitting in
front of a pair of redundant firewalls. Each ASA is configured with the
default DNS inspect policy that doesn't accept fragmented UDP packets.
Why would any inspection policy not allow fragmented UDP packets?
There's nothing wrong with that.
Because it's "hard".... The issue is that then you need to buffer fragments
until you get a full packet -- which leaves you open to attacks that send a bunch of
fragments but leave one of them out.
Vendors like to avoid reassembling fragments by default, because it makes their
performance numbers better....
That's true, but it doesn't quite explain why the "DNS Inspection Policy,"
turned on by default on the PIX/FWSM/ASA, continued to have a default
maximum DNS message size of 512 bytes more than a decade after EDNS0
became a standards-track RFC.
In this case, Cisco's defaults are brain-dead. Whether that had an impact
here or the issue was due to mere fragmentation isn't clear, but those
default values have had an impact on DNSSEC deployment.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
