[dnssec-deployment] Article about NIC-SE and DNSSEC in Computer Sweden
dougb at dougbarton.net
Mon Oct 10 14:59:27 EDT 2005
Patrik Fältström wrote:
> What we have done in the PIX from version 6.3.2 released about 2 years
> ago (or more) is to have the ability to set a policy in the PIX for
> what the max size of DNS packets should go through it (and some other
> inspection of the DNS transaction), but no parsing of EDNS0 size. What
> we have NOT done is to have this turned on by default. Because of this,
> people buying a PIX must turn on support for DNS packet sizes > 512 bytes.
We need to figure out how to lobby harder to have this turned on by default.
I was fighting this problem 3 years ago when I was still back at Yahoo!.
EDNS0 is an important step in evolution of DNS, with or without DNSSEC, and
having it not work by default, even in newer devices, is a huge setback.
More information about the Dnssec-deployment