i have read much about DNSSEC in this forum as well as other DNSSEC related sites . However i have a query as to what is the role of
message-length maximum server auto command . Please can anybody explain a practical scenario Also , i have one example (please refer to attachment) .In this , if a packet is coming from Outside world towards firewall to a Public web server hosted in DMZ and consider that Public DNS Server too is also in DMZ Zone of a firewall and have public IP Address (consider there is no nat-control in FW) then what is the command suppose to be given under the "policy-map type inspect dns " .Can we specify "message-length maximum server auto" command over here or will it still work with "message-length maximum client auto " command . I have read that client or server is determined by firewall by looking into the "QR bit " in DNS Header . If QR =0 it is client , otherwise server . I also want to understand as to how firewall will differentiate between a Public DNS Server hosted at ISP or inside (say DMZ) of organization .
Both the requestor and responder can define the maximum DNS size in the EDNS packet. So if you use "client auto" then the ASA will adjust its allow dns size according to what the dns query says it can support. Though, the server could potentially say it supports up to certain size and that is where "server auto comes in.
Usually the client is the one that says "I support up to that" and the server just obeys so the "server auto" will not be used often.
thanks for the reply , does that means that even if DNS Server is in DMZ Zone and client is coming from Outside , client auto command will do the needful ? Also in case the server doesnot obey the client declared value , then how it can be brought to notice that it is doing so .Also please let me know what is the function of DO flag in the DNSSEC ?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...