Educause Security Discussion mailing list archives
Re: Windows 2008 Server R2 SECDNS Blocked
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 24 Sep 2009 08:33:00 -0700
The general recommendation I've read for DNSSEC is that a 512 byte limitation is now obsolete. It looks like RFC 3226 indicates a maximum limit of 4000. Additionally, I found this paper in a google search. It is a bit outdated, but an interesting analysis of the different sizes they saw: http://mail.shinkuro.com:8100/Lists/dnssec-deployment/Message/434-02-02-B/csec28-dnsseclen-nojp.pdf ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Bennett Sent: Thursday, September 24, 2009 8:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows 2008 Server R2 SECDNS Blocked Has anyone run into their DNS traffic being blocked by their firewall because the reply packet from the Root Hints is greater than 512 Bytes? I came across this with testing a Windows 2008 Server R2 domain controller running DNS. It appears that the implementation of SECDNS on R2 has increased the packet size to be larger than 512 Bytes which is default for regular DNS traffic. If you have run into this did you allow larger DNS UDP packets through your firewall? If so, what size limit did you set? Thanks, Daniel Bennett IT Security Analyst Pennsylvania College of Technology One College Ave Williamsport PA, 17701 570.329.4989
Current thread:
- Windows 2008 Server R2 SECDNS Blocked Daniel Bennett (Sep 24)
- <Possible follow-ups>
- Re: Windows 2008 Server R2 SECDNS Blocked Basgen, Brian (Sep 24)
- Re: Windows 2008 Server R2 SECDNS Blocked Valdis Kletnieks (Sep 25)