[dns-operations] DNS maximum packet size

Patrick, Robert Robert.Patrick at hq.doe.gov
Fri Sep 18 17:50:15 UTC 2009

Are firewall vendors working to increase the default settings for DNS
maximum packet size in order to better support EDNS and DNSSEC?


Cisco firewalls have a default maximum packet size for DNS set to 512
bytes, and I'm going to guess similar settings exist for other vendor


A recent inquiry to increase the default setting for DNS maximum packet
size enforcement on Cisco firewalls was answered with "the default
configuration change is not on our firewall roadmap".


Is anybody working to get the vendors to put this change into product
roadmaps, especially as year-end approaches and the OMB deadline is



Example configuration change for Cisco ASA and FWSM shown below:



conf t

policy-map type inspect dns preset_dns_map


  message-length maximum 4096

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090918/150bdb01/attachment.html>

More information about the dns-operations mailing list