[dns-operations] DNS maximum packet size

Patrick, Robert Robert.Patrick at hq.doe.gov
Fri Sep 18 17:50:15 UTC 2009


Are firewall vendors working to increase the default settings for DNS
maximum packet size in order to better support EDNS and DNSSEC?

 

Cisco firewalls have a default maximum packet size for DNS set to 512
bytes, and I'm going to guess similar settings exist for other vendor
firewalls.

 

A recent inquiry to increase the default setting for DNS maximum packet
size enforcement on Cisco firewalls was answered with "the default
configuration change is not on our firewall roadmap".

 

Is anybody working to get the vendors to put this change into product
roadmaps, especially as year-end approaches and the OMB deadline is
reached?

 

 

Example configuration change for Cisco ASA and FWSM shown below:

 

--/--

conf t

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 4096

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

end

--/--

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090918/150bdb01/attachment.html>


More information about the dns-operations mailing list