Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
From: Volker Tanger (volker.tanger@discon.de)
Date: 02/17/03
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- In reply to: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Next in thread: Mike Scher: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Reply: Mike Scher: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Volker Tanger <volker.tanger@discon.de> To: "'firewall-wizards@honor.ics..." <firewall-wizards@honor.icsalabs.com> Date: Mon, 17 Feb 2003 14:17:16 +0100
Greetings!
Reckhard, Tobias wrote:
> Back from the weekend, I find my post has stirred up a bit of a debate..
>
> On Saturday, February 15, 2003 4:11 AM, Rob Payne wrote:
>>On Fri, Feb 14, 2003 at 08:58:41AM +0100, Reckhard, Tobias wrote:
>>>>On Thursday, February 13, 2003 3:39 AM, Rob Payne
>>>
>>>>get in the way of (DNS) security when zones start getting signed.
>>>>(Rhetorical: Has anyone attempted to fit current DNS data plus
>>>>RSA/SHA1 keys and signatures in packets 512 datagrams long?)
>>>
>
> No, it is not. The reason for my response was that I don't know of any
> currently relevant reason for DNS responses to be over 512 bytes in size.
Well, I've seen - and that was not even signed DNS. The idi... ahem...
programmers of that system (mis)used fake hostnames to hold session-ID
and shopping basket content. And that easily went beyond UPD packet size
quite often. Cacheing did not work with that system either.
Bye
Volker Tanger
IT-Security Consulting
-- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 volker.tanger@discon.de http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: m p: "Re: [fw-wiz] Query on OS hardening"
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- In reply to: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Next in thread: Mike Scher: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Reply: Mike Scher: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
