Re: Cisco PIX / ASA and DNSSEC problem approaching on May 5th? - Page 2

nifb01food · ‎04-16-2010

So by default all Cisco PIX / ASA configs have something along these lines...

policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1 <-- DNS inspection
...

so after May 5th, when DNSSEC is enabled on all root servers, I'd expect many quereies to be over the 512 byte maximum. See http://www.theregister.co.uk/2010/04/13/dnssec/ if you are not familiar with this.

Does this mean I should change the 512 number to something else? suggestions on that? or should I just disable DNS inspection completely with: "no inspect dns"

Jennifer Halim · ‎05-05-2010

Hey Troy,

pkampana is absolutely correct. You can keep the "message-length maximum 512" in, and just add the "message-length maximum client auto" line as per the bug.

tasoskypraios · ‎02-14-2011

Hello,

Could you inform me in which version of FWSM is available the command "message-length maximum client auto"?

Thank you

Jennifer Halim · ‎02-14-2011

Unfortunately the "auto" option is not available in FWSM.

You can only configure absolute maximum length but not "auto".

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/i2.html#wp1639206

Hope that answers your question.

tasoskypraios · ‎02-15-2011

Thank you Jennifer for your prompt answer, i will try to increase the maximum length to 1536 bytes.