Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA: DNSSEC

 

Introduction

DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.

 

These mechanisms require changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034.

 

It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD). In order to support the larger DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also requires EDNS0 support (RFC 2671).

 

Finally, DNSSEC requires support for the DNSSEC OK (DO) EDNS header bit (RFC 3225) so that a security-aware resolver can indicate in its queries that it wishes to receive DNSSEC RRs in response messages. By checking the signature, a DNS resolver is able to check if the information is identical (correct and complete) to the info on the authoritative DNS server.

 

DNSSEC services protect against most of the threats to the Domain Name System. There are several distinct classes of threats to the Domain Name System, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol.

 

All root servers will be switching to DNSSEC on May 5th and we would get lot many cases on DNSSEC wherein the cu would be looking for the changes which would be required to allow larger dns packets through the ASA. Now, what needs to be done to allow such traffic through the ASA is described under this:

 

CSCta35563    EDNS0 - Default length for UDP DNS should be increased due to DNSSEC

 

The default maximum DNS response length is 512. Recent developments in the DNS are gradually introducing DNSSEC, which increases the packet sizes involved in quite a significant way. When there is a "clear config all" or while booting from a blank startup config, inspect dns is enabled on the preset_dns_map which has the default setting of maximum message-length as 512bytes. With this limitation, customers with this default config will not be able to support DNSSec packets as they are big in size.

 

Solution

1. Enable "message-length maximum client auto" on preset_dns_map and migrated_dns_map so that maximum message length for EDNS0 traffic can be picked up from the requester.

2. When checking for maximum length, give precedence to maximum client length over regular client length if it is configured.

3. As a trivial change, while displaying the config....if client auto settings are present....print them before printing regular length settings.          

 

policy-map type inspect dns DNS

parameters

message-length maximum client auto

 

The details of the changes required are described under "fixed-in-boston-main-by-cl94615" attachment in the above bug.

Version history
Revision #:
2 of 2
Last update:
‎08-24-2017 06:17 AM
Updated by:
 
Labels (1)
Contributors
Everyone's tags (1)