Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Mark Andrews Mark_Andrews at isc.org
Thu Nov 22 23:18:59 UTC 2007


> > .., and I am pretty sure both networks should not have edns issues.
> 
> most edns issues are really ip fragmentation issues.  firewalls that allow
> a certain server to send or receive udp/53 but which don't retain IP ID
> state to allow matching fragments, tend break edns.  most of the firewalls
> that do this are software devices running on the same host as the dns
> server.  fairly often the cure is worse than the disease (allow all frags).
 
	Most OS's now have code to deal with fragmentation attacks.
	I've also found that most responses still fit in a single
	Ethernet packet.

		edns-udp-size 1460;  

	This is from a box which sits behind a nat that doesn't handle
	out-of-order fragments.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-workers mailing list