disable dnssec in bind resolver
Mark Andrews
marka at isc.org
Tue Jun 8 15:02:42 UTC 2010
In message <D7C8ADA3-F213-4AE9-9FBE-8D613D97D69F at kumari.net>, Warren Kumari wri
tes:
> On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
>
> > Thanks @all, sorry i was out of office yesterday. I'll discuss the
> > issue this week on the german Linux Tag in Berlin.
> >
> > What your meaning off firewalls, who looks into packets and block them
> > if the filter don=B4t know a flag.
>
> Some "high security" firewalls examine the actual payload of the
> packets and validate that the payload follows the spec (at least as
> they understand the spec). This sounds like a great win, because it
> allows you to make sure that folks aren't tunneling things over other
> ports, "protects" your backend from application level attacks (and
> attacks on the TCP stack and such) and allows NAT fixups for things
> like SIP -- this is often called an ALG (Application layer gateway),
> fixups or something similar. Unfortunately they almost always cause
> way way more issues than they solve, and cause really really
> interesting troubleshooting problems[0]. The firewall has to maintain
> a huge amount of state, the ALG is coded for a protocol at a specific
> point in time and so doesn't deal with extensions (like edns
> apparently :-P), etc.
You wonder about firewall vendors and whether they are doing their jobs
when they don't support parts of the protocol that are a decade old and
are standards track.
EDNS 1999, DO 2001
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list