Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Allen Smith easmith at beatrice.rutgers.edu
Fri Nov 23 11:30:45 UTC 2007


In message <200711222318.lAMNIxnf095379 at drugs.dv.isc.org> (on 23 November
2007 10:18:59 +1100), Mark_Andrews at isc.org (Mark Andrews) wrote:
>
>> > .., and I am pretty sure both networks should not have edns issues.
>> 
>> most edns issues are really ip fragmentation issues.  firewalls that allow
>> a certain server to send or receive udp/53 but which don't retain IP ID
>> state to allow matching fragments, tend break edns.  most of the firewalls
>> that do this are software devices running on the same host as the dns
>> server.  fairly often the cure is worse than the disease (allow all frags).
> 
>	Most OS's now have code to deal with fragmentation attacks.
>	I've also found that most responses still fit in a single
>	Ethernet packet.
>
>		edns-udp-size 1460;  
>
>	This is from a box which sits behind a nat that doesn't handle
>	out-of-order fragments.

Perhaps, before switching to non-edns, BIND could turn down the
edns-udp-size option itself, and the (much less frequent, please!) log
messages stating it was doing this could suggest doing this manually to
prevent further log messages?

	      -Allen

-- 
Allen Smith			http://cesario.rutgers.edu/easmith/
September 11, 2001		A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin


More information about the bind-workers mailing list