Skip to content

DNSSec Effect on ASA PIX Firewalls and FWSM

As of 5th May 2010 All 13 DNS ROOT Server will consist of a signed digital signature with every replied query. This has been ruled out to tackle any man-in-middle attack similar to Dan Kaminsky’s exploit.

Is it going to break the internet?

It is only going to affect if the firewalls & FWSM are not configured correctly to allow DNSSEC signed packets.

The answer being, as we already know DNS uses UDP packets for query replies; and most firewalls are going to drop any packets larger than 512bytes.

Having been said, the DNSSEC signed replies are going to have an extra layer of encryption, thus increasing the packet size up to 4KB (4096) and the firewalls & FWSMs needs to be configured to allow such larger packets through.

What needs to be configured on the Firewall?

The firewall needs to have the following settings to allow larger UDP packets through…

We can either hard-code the maximum-length or use other methods to tackle this issue.

More info about DNSSEC can be found on or simply typing the word on Google.

comments powered by Disqus