There was also a message-length client auto or something like that too
for some versions of some Cisco HW, but if memory serves, the version
that introduced it is broken. :)
On 02/23/2011 04:54 PM, Warren Kumari wrote:
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-l
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096
In later versions you need:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
or to increase the response size length:
policy-map global_policy
class inspection_default
inspect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org)
There was another table that I found someplace and cannot find now that
listed Cisco PIX and mentioned w
istophercain.ca
>
>
>
>> -- Forwarded message --
>> From: Ryan Novosielski
>> To: bind-users@lists.isc.org
>> Date: Wed, 23 Feb 2011 11:39:41 -0500
>> Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
>> -BEGIN PGP SIGNED MESSAGE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue (and
frankly there's little else it could be).
https://www.dns-oarc.net/oarc/services/replysizetest
On 02/23/2011
Thanks, Mark,
Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was not
blocking. I guess that might be some default setting of the firewall
and he does not really know. I did two digs here one with +dnssec and
In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" writes:
> Mark,
>
> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I
> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with
o set "tc"?
Thank you.
Shaoquan Lin
- Original Message -
From: "Mark Andrews"
To: "Shaoquan Lin"
Cc:
Sent: Saturday, February 19, 2011 6:08 AM
Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
In message <17894D6D30484DDFBBE95BEF9
In message <17894D6D30484DDFBBE95BEF987FF5D1@se179>, "Shaoquan Lin" writes:
> Ryan,
>
> Have you solved your problem? I have similar problems. I run BIND =
> 9.6..1-P3 on my Solaris 10 and can not resolve anything in domain =
> nyc.gov. One thing I noticed is: BIND 9.3 send query to =
> b.gov-
Ryan,
Have you solved your problem? I have similar problems. I run BIND 9.6..1-P3 on
my Solaris 10 and can not resolve anything in domain nyc.gov. One thing I
noticed is: BIND 9.3 send query to b.gov-servers.net with no Additional
records and got a response with A records for the nyc.gov NS
max-udp-size controls what you send.
MAX(512, MIN(max-udp-size, client's UDP size))
edns-udp-size controls what you advertise you can receive.
MAX(512, MIN(edns-udp-size, server's UDP size))
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 98
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/11/2011 01:21 PM, Ryan Novosielski wrote:
> On 02/10/2011 04:19 PM, Chuck Swiger wrote:
>> On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
>>> health.nyc.gov query-errors:
>>>
>>> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
>>> 1
12 matches
Mail list logo
