[dns-operations] DNS maximum packet size
Patrick, Robert
Robert.Patrick at hq.doe.gov
Fri Sep 18 17:50:15 UTC 2009
Are firewall vendors working to increase the default settings for DNS
maximum packet size in order to better support EDNS and DNSSEC?
Cisco firewalls have a default maximum packet size for DNS set to 512
bytes, and I'm going to guess similar settings exist for other vendor
firewalls.
A recent inquiry to increase the default setting for DNS maximum packet
size enforcement on Cisco firewalls was answered with "the default
configuration change is not on our firewall roadmap".
Is anybody working to get the vendors to put this change into product
roadmaps, especially as year-end approaches and the OMB deadline is
reached?
Example configuration change for Cisco ASA and FWSM shown below:
--/--
conf t
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
end
--/--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090918/150bdb01/attachment.html>
More information about the dns-operations
mailing list