Just an FYI - This is no longer the case for ASA/PIX after the commit of CSCta35563 - which went into the codebase in 2009.11.
After the above commit, "the default" has been changed. Non-EDNS replies will still have the message length set to 512. But EDNS replies will use the advertised buffer size value specified by the requester in the OPT pseudo-RR. The command "message-length maximum client auto" was added to version 7.2.1 via the introduction of AIC inspection for DNS. However, when introduced if multiple maximum lengths were specified, like: ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! Then the lesser of the two (typically 512 in the DNSSEC case) would be selected. With the fix for CSCta35563, we first check if the OPT pseudo-RR is present in a query request, and if so, that buffer size value is used. Otherwise, we fallback to using the global value of 512. In summary, customers running a version with the fix for CSCta35563 will work fine if they have the following configured: Versions with fix for CSCta35563: --------------------------------- ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! Customers running a version prior to the fix for CSCta35563 will need to increase the global message-length maximum to 4096, until they upgrade to a version with the fix. Versions without fix for CSCta35563: ------------------------------------ ! policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 ! regards, -- /karpenko On 2011.09.28-12:47:53 -0700, michoski <micho...@cisco.com> wrote: > Date: Wed, 28 Sep 2011 12:47:53 -0700 > From: michoski <micho...@cisco.com> > To: Steve Arntzen <i...@arntzen.us>, bind-users@lists.isc.org > Subject: Re: dnssec question. confused. > > On 9/28/11 5:32 AM, "Steve Arntzen" <i...@arntzen.us> wrote: >> Is your firewall Cisco based? >> >> There is a known "default" setting in Cisco with respect to >> packet size for DNS. Our network guys run into this anytime they >> do an upgrade, etc. and have to go in and update the setting. > > This bit me the first time I managed a PIX years ago (though, in > fairness, even then it was well documented on Cisco's site...I > just had to read logs and search), and now continues on the ASA it > seems... Once it's understood, it really shouldn't bite again: > > https://supportforums.cisco.com/thread/2013390 > > -- > By nature, men are nearly alike; > by practice, they get to be wide apart. > -- Confucius > > [ --------------- End of Included Message --------------- ] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users