Query regarding DNSSEC

Unanswered Question
May 6th, 2010


i have read much about DNSSEC in this forum as well as other DNSSEC related sites . However i have a query as to what is the role of

message-length maximum server auto command . Please can anybody explain a practical scenario  Also , i have one example (please refer to attachment) .In this , if a packet is coming from Outside world towards firewall to a Public web server hosted in DMZ and consider that Public DNS Server too is also in DMZ Zone of a firewall and have public IP Address (consider there is no nat-control in FW) then what is the command suppose to be given under the "policy-map type inspect dns " .Can we specify "message-length maximum server auto" command over here or will it still work with "message-length maximum client auto " command . I have read that client or server is determined by firewall by looking into the "QR bit " in DNS Header . If QR =0 it is client , otherwise server . I also want to understand as to how firewall will differentiate between a Public DNS Server hosted at ISP or inside (say DMZ) of organization .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Thu, 05/06/2010 - 10:46

Both the requestor and responder can define the maximum DNS size in the EDNS packet. So if you use "client auto" then the ASA will adjust its allow dns size according to what the dns query says it can support. Though, the server could potentially say it supports up to certain size and that is where "server auto comes in.

Usually the client is the one that says "I support up to that" and the server just obeys so the "server auto" will not be used often.

I hope it helps.


ankurs2008 Sat, 05/08/2010 - 15:42

Hi pkampana

thanks for the reply , does that means that even if DNS Server is in DMZ Zone and client is coming from Outside , client auto command will do the needful ? Also in case the server doesnot obey the client declared value , then how it can be brought to notice that it is doing so .Also please let me know what is the function of DO flag in the DNSSEC ?


This Discussion