Re: DNSSEC reminder

Ignore if you are already aware. You may see some cases on internet loss due
to DNS resolution failure.

On May 5, the world's top domain authorities (led by ICANN, the US
Government and Verisign) will complete the first phase of the roll-out of
DNSSEC (Domain Name System Security Extensions) across the 13 root servers
that direct user requests to the relevant websites on the internet.

A response to a standard DNS request tends to be in a single packet (UDP
protocol) and tends to fall below 512 bytes in size. The solution to DNSSEC
i.e. EDNS0 has been supported since PIX days, but, is not the default
config. EDNS0 uses packet size higher than 512 bytes. So, the solution is
just to increase the DNS fixup/inspect allowed length to 4096 or set it to
'Auto' on ASA code 8.2.2 onwards.

Note that IOS FW does not have a resolution to this.

 Regards,

Sushil

----- Original Message -----
From: "Piotr Matusiak" <pitt2k_at_gmail.com>
To: "Cisco certification" <ccielab_at_groupstudy.com>; "Cisco certification"
<security_at_groupstudy.com>
Sent: Tuesday, May 04, 2010 3:54 PM
Subject: DNSSEC reminder

> Gents (and Ladies),
>
> Just want to remind you that tomorrow (5th of May) is a day when Internet
> DNS root servers roll-out DNSSEC.
> This can cause potential issues if you use ASA/PIX/FWSM on your networks
> with default DNS inspection enabled.
> For more information go to my blog: http://www.ccie1.com/?p=201
>
> Cheers,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein

Blogs and organic groups at http://www.ccie.net
Received on Tue May 04 2010 - 22:37:04 ART