Paul Wouters: Re: [dnssec-deployment] DNS cache issue
Mark_Andrews at isc.org
Thu Nov 22 23:18:59 UTC 2007
> > .., and I am pretty sure both networks should not have edns issues.
> most edns issues are really ip fragmentation issues. firewalls that allow
> a certain server to send or receive udp/53 but which don't retain IP ID
> state to allow matching fragments, tend break edns. most of the firewalls
> that do this are software devices running on the same host as the dns
> server. fairly often the cure is worse than the disease (allow all frags).
Most OS's now have code to deal with fragmentation attacks.
I've also found that most responses still fit in a single
This is from a box which sits behind a nat that doesn't handle
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-workers