Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNSSEC Support
Does the Fortigate (Ver 3.0 or higher) have support for DNSSEC? I' m looking to increase the DNS message size from 512 bytes to 4096 bytes.
Has anybody done this yet?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should support more than 512 bytes, as you need to enable a specific rule to change that..
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32863&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=20918139&stateId=0%200%2020916596
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan,
Isn' t this to block message that exceed 512 bytes? I would think to reverse that, and increase it accordingly but I don' t see where you would do this at.
I' m still searching...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the document states, it supports DNSSEC as default, the IPS rule is to block DNS request over 512 byte but it allows DNSSEC...
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes.. the signature is to block DNS greater than 512byte but as stated the default setting is to let it pass (and only create a log entry. so unless you use this signature AND override the custom behavior (" action = pass" ) the FGT is not blocking DNS over 512 bytes so DNSSEC should work