On 12/10/10 08:17, Martin McCormick wrote:
As a reminder, none of this is on our master DNS yet so
we are still doing the normal activities. Our firewalls are
supposed to be adjusted to allow the 4096-byte DNS packets in
the next day or so so all the testing is being done on another
box for now.
Note that the EDNS0 standard (RFC 2671) does not limit the size of
EDNS0-enabled UDP responses to 4096 bytes, and many implementations can
be configured to accept UDP response sizes up to 65536 bytes. 4096 is
merely the default. As long as you're modifying firewalls now, you
might want to allow for a larger UDP response.
In addition, don't assume you can block TCP/53 (or limit TCP responses
to 4096 bytes) just because you allow EDNS0 responses. First, some
implementations have smaller EDNS0 buffers and will more quickly fall
back to TCP. Second, some responses will still be larger than 4096
bytes. When I was signing berkeley.edu with both algorithms 5 and 10, a
query of "berkeley.edu ANY" yielded a response of over 4100 bytes!
It sounds like you're being careful with your FW, but I thought I'd let
you know of some gotchas anyway. It's a reason to follow Kevin's advice
and publish your signed zones without publishing the keys, so that you
can see if the larger responses cause problems.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
