Paul Wouters: Re: [dnssec-deployment] DNS cache issue
Allen Smith
easmith at beatrice.rutgers.edu
Fri Nov 23 11:30:45 UTC 2007
In message <200711222318.lAMNIxnf095379 at drugs.dv.isc.org> (on 23 November
2007 10:18:59 +1100), Mark_Andrews at isc.org (Mark Andrews) wrote:
>
>> > .., and I am pretty sure both networks should not have edns issues.
>>
>> most edns issues are really ip fragmentation issues. firewalls that allow
>> a certain server to send or receive udp/53 but which don't retain IP ID
>> state to allow matching fragments, tend break edns. most of the firewalls
>> that do this are software devices running on the same host as the dns
>> server. fairly often the cure is worse than the disease (allow all frags).
>
> Most OS's now have code to deal with fragmentation attacks.
> I've also found that most responses still fit in a single
> Ethernet packet.
>
> edns-udp-size 1460;
>
> This is from a box which sits behind a nat that doesn't handle
> out-of-order fragments.
Perhaps, before switching to non-edns, BIND could turn down the
edns-udp-size option itself, and the (much less frequent, please!) log
messages stating it was doing this could suggest doing this manually to
prevent further log messages?
-Allen
--
Allen Smith http://cesario.rutgers.edu/easmith/
September 11, 2001 A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin
More information about the bind-workers
mailing list