Sushil / Piotr,
> -----Original Message-----
> Sent: Tuesday, May 04, 2010 1:07 PM
> To: Piotr Matusiak; Cisco certification; Cisco certification
> Subject: Re: DNSSEC reminder
>
> Ignore if you are already aware. You may see some cases on internet loss due
> to DNS resolution failure.
>
>
>
> On May 5, the world's top domain authorities (led by ICANN, the US
> Government and Verisign) will complete the first phase of the roll-out of
> DNSSEC (Domain Name System Security Extensions) across the 13 root servers
> that direct user requests to the relevant websites on the internet.
>
>
>
> A response to a standard DNS request tends to be in a single packet (UDP
> protocol) and tends to fall below 512 bytes in size. The solution to DNSSEC
> i.e. EDNS0 has been supported since PIX days, but, is not the default
> config. EDNS0 uses packet size higher than 512 bytes. So, the solution is
> just to increase the DNS fixup/inspect allowed length to 4096 or set it to
> 'Auto' on ASA code 8.2.2 onwards.
>
>
>
Thanks for bringing this to my attention, I've been seeing the issues with EDNS cropping up more lately, now I have better reason to apply the fix globally.
-ryan
Blogs and organic groups at http://www.ccie.net
Received on Tue May 04 2010 - 17:45:37 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART