On Jul 25, 2010, at 4:33 AM, Danny Mayer wrote: > On 7/24/2010 5:10 AM, Warren Kumari wrote: >> >> On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote: >> >>> On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote: >>>> Thanks for the confirmation that the problem was related to DNSSEC. >>>> >>>> I didn't see your message until I got home from work; however, I did >>>> find the root of the problem late this afternoon. At each of our >>>> Internet egress and ingress points, we have Cisco ASA devices sitting in >>>> front of a pair of redundant firewalls. Each ASA is configured with the >>>> default DNS inspect policy that doesn't accept fragmented UDP packets. >>> >>> Why would any inspection policy not allow fragmented UDP packets? >>> There's nothing wrong with that. >> >> >> Because it's "hard".... The issue is that then you need to buffer > fragments until you get a full packet -- which leaves you open to > attacks that send a bunch of fragments but leave one of them out. >> >> Vendors like to avoid reassembling fragments by default, because it > makes their performance numbers better.... > > At the expense of correct behavior and loss of real performance.
Yes. Sorry, if I gave the impression that I was condoning this -- I'm not. Vendors exist to sell boxen -- tuning for the test cases at the expense of correctness often wins.... W > > Danny _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
