USADOTGOV.NET Root Problems?

Warren Kumari warren at kumari.net
Sat Jul 24 09:10:39 UTC 2010


On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:

> On 7/22/2010 11:08 PM, Merton Campbell Crockett wrote:
>> Thanks for the confirmation that the problem was related to DNSSEC.
>> 
>> I didn't see your message until I got home from work; however, I did
>> find the root of the problem late this afternoon.  At each of our
>> Internet egress and ingress points, we have Cisco ASA devices sitting in
>> front of a pair of redundant firewalls.  Each ASA is configured with the
>> default DNS inspect policy that doesn't accept fragmented UDP packets.
> 
> Why would any inspection policy not allow fragmented UDP packets?
> There's nothing wrong with that.


Because it's "hard".... The issue is that then you need to buffer fragments until you get a full packet -- which leaves you open to attacks that send a bunch of fragments but leave one of them out.

Vendors like to avoid reassembling fragments by default, because it makes their performance numbers better....

W

> 
> Danny
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list