Cisco's enhancement request related to this subject for ASA/PIX
platform.You would need cco id to see the details.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCta35563
Regards,
Sushil
----- Original Message -----
From: "Greg Ferro" <gregferro_at_mac.com>
To: "Cisco certification" <ccielab_at_groupstudy.com>; "Cisco certification"
<security_at_groupstudy.com>
Sent: Wednesday, May 05, 2010 1:59 AM
Subject: Re: DNSSEC reminder
> Dan Hughes did a great writeup on this at EtherealMind.
>
> http://etherealmind.com/dnssec-and-why-the-internet-probably-wont-break-today/
>
> On 4 May 2010, at 18:07, Sushil Choudhary wrote:
>
>> Ignore if you are already aware. You may see some cases on internet loss
>> due to DNS resolution failure.
>>
>>
>>
>> On May 5, the world's top domain authorities (led by ICANN, the US
>> Government and Verisign) will complete the first phase of the roll-out of
>> DNSSEC (Domain Name System Security Extensions) across the 13 root
>> servers that direct user requests to the relevant websites on the
>> internet.
>>
>>
>>
>> A response to a standard DNS request tends to be in a single packet (UDP
>> protocol) and tends to fall below 512 bytes in size. The solution to
>> DNSSEC i.e. EDNS0 has been supported since PIX days, but, is not the
>> default config. EDNS0 uses packet size higher than 512 bytes. So, the
>> solution is just to increase the DNS fixup/inspect allowed length to 4096
>> or set it to 'Auto' on ASA code 8.2.2 onwards.
>>
>>
>>
>> Note that IOS FW does not have a resolution to this.
>>
>> Regards,
>>
>> Sushil
>>
>> ----- Original Message ----- From: "Piotr Matusiak" <pitt2k_at_gmail.com>
>> To: "Cisco certification" <ccielab_at_groupstudy.com>; "Cisco certification"
>> <security_at_groupstudy.com>
>> Sent: Tuesday, May 04, 2010 3:54 PM
>> Subject: DNSSEC reminder
>>
>>
>>> Gents (and Ladies),
>>>
>>> Just want to remind you that tomorrow (5th of May) is a day when
>>> Internet
>>> DNS root servers roll-out DNSSEC.
>>> This can cause potential issues if you use ASA/PIX/FWSM on your networks
>>> with default DNS inspection enabled.
>>> For more information go to my blog: http://www.ccie1.com/?p=201
>>>
>>> Cheers,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security)
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
Blogs and organic groups at http://www.ccie.net
Received on Wed May 05 2010 - 05:34:35 ART