Announcement

Collapse
No announcement yet.

Dnssec

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dnssec

    One of my helpdesk lads pointed me in the direction of This Register post today about DNSSEC.

    I felt pretty stupid when I had to admit that I hadn't heard anything about it.

    Does anyone know the maximum UDP packet size that I should be setting on my firewalls? I run Juniper in my core and these seem to have 512 set as a default in the DPI.

    Cheers
    Dean

  • #2
    Re: Dnssec

    Why the 5th of may? It looks like 7 out of 13 root servers and some country level domain servers are returning signed packets already http://www.h-online.com/security/new...rs-962569.html.
    If you are using root hints, remove all the other servers and leave , let's say the K-root server and monitor the impact.
    I have noticed this RFC: http://tools.ietf.org/html/rfc3226 mentioning about the UDP packet sizes.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Dnssec

      Originally posted by DeanPorter View Post
      One of my helpdesk lads pointed me in the direction of This Register post today about DNSSEC.

      I felt pretty stupid when I had to admit that I hadn't heard anything about it.

      Does anyone know the maximum UDP packet size that I should be setting on my firewalls? I run Juniper in my core and these seem to have 512 set as a default in the DPI.

      Cheers
      Dean
      I could be wrong but if you're using DNSSEC then you don't really need a legacy validation method such as checking the packet size.

      Comment


      • #4
        Re: Dnssec

        Originally posted by Garen View Post
        I could be wrong but if you're using DNSSEC then you don't really need a legacy validation method such as checking the packet size.
        The problem is that a DNSSEC packet is larger than 512 bytes and many routers\firewalls may block DNS packets (incoming query answers) that have DNSSEC info and are therefore larger than 512 bytes.

        I know our firewalls have a problem with this and as there's no budget for replacements I've chosen to use forwarders instead of the root hint servers.

        Comment


        • #5
          Re: Dnssec

          Yes, thats why I would turn off DNS packet length inspection if I was using DNSSEC.

          Comment


          • #6
            Re: Dnssec

            Originally posted by Garen View Post
            Yes, thats why I would turn off DNS packet length inspection if I was using DNSSEC.
            I misunderstood you. Still, some firewalls\routers may not have the ability to turn it off. Unless I'm still misunderstanding the issue.

            Comment

            Working...
            X