Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Query regarding DNSSEC


i have read much about DNSSEC in this forum as well as other DNSSEC related sites . However i have a query as to what is the role of

message-length maximum server auto command . Please can anybody explain a practical scenario  Also , i have one example (please refer to attachment) .In this , if a packet is coming from Outside world towards firewall to a Public web server hosted in DMZ and consider that Public DNS Server too is also in DMZ Zone of a firewall and have public IP Address (consider there is no nat-control in FW) then what is the command suppose to be given under the "policy-map type inspect dns " .Can we specify "message-length maximum server auto" command over here or will it still work with "message-length maximum client auto " command . I have read that client or server is determined by firewall by looking into the "QR bit " in DNS Header . If QR =0 it is client , otherwise server . I also want to understand as to how firewall will differentiate between a Public DNS Server hosted at ISP or inside (say DMZ) of organization .

Cisco Employee

Re: Query regarding DNSSEC

Both the requestor and responder can define the maximum DNS size in the EDNS packet. So if you use "client auto" then the ASA will adjust its allow dns size according to what the dns query says it can support. Though, the server could potentially say it supports up to certain size and that is where "server auto comes in.

Usually the client is the one that says "I support up to that" and the server just obeys so the "server auto" will not be used often.

I hope it helps.


Community Member

Re: Query regarding DNSSEC

Hi pkampana

thanks for the reply , does that means that even if DNS Server is in DMZ Zone and client is coming from Outside , client auto command will do the needful ? Also in case the server doesnot obey the client declared value , then how it can be brought to notice that it is doing so .Also please let me know what is the function of DO flag in the DNSSEC ?

Community Member

Re: Query regarding DNSSEC

Hi all / pkampana

Please reply to my below query

CreatePlease to create content