Best ipfw Rules for DNS-SEC
Mark Andrews
marka at isc.org
Wed Mar 16 00:48:09 UTC 2011
ISC has deployed two test zones with specially configured servers
to support the testing of firewalls and EDNS.
You can test the firewall rules using:
dig edns-v4-ok.isc.org txt (IPv4)
dig edns-v6-ok.isc.org txt (IPv6)
These queries will only be successfully answered if there is a clean
EDNS UDP path that supports a 4096 byte EDNS packet. The servers
for these zones are setup to cause the query to fail if there is
not a clean EDNS UDP path that supports a 4096 byte EDNS packet.
Fall back to TCP is NOT supported on the servers for these zones.
EDNS queries using UDP buffer sizes less than 4096 for these queries
will NOT work.
You can check that the caching server can reach the servers for the
zones with:
dig edns-v4-ok.isc.org soa (IPv4)
dig edns-v6-ok.isc.org soa (IPv6)
To query the servers directly you will need to specify +edns=0 or +dnssec
with dig to get the TXT record.
dig +dnssec edns-v4-ok.isc.org txt @edns-v4-ok.isc.org (IPv4)
dig +dnssec edns-v6-ok.isc.org txt @edns-v6-ok.isc.org (IPv6)
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list