In message <aanlktimzmc4pgne7n72hnb7gnjuat9r2oktigaazv...@mail.gmail.com>, Rian to Wahyudi writes: > Hi Mark, > > Thanks for the pointers , your are spot on! > > Doing dig +trace +dnssec www.paypal.com always fail. > After some investigation with the network guys, it appear that our upstream > firewall are dropping DNS UDP packet larger than 512. > Cisco FWSM have this configuration enabled by default : > > http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.htm > l#wp1565355
So the default is "inspect dns maximum-length 512" if I read that page correctly. "inspect dns" or as a minimum "inspect dns maximum-length 4096" will allow reply traffic through for named. I thought I had heard that Cisco had code which looked for the EDNS UDP size option and adjusted the maximum length based on that on a per transaction basis and enforced 512 if there wasn't a EDNS option. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users