This is a cryptographically signed message in MIME format.

--===============0864548972==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms070503010103010702020306"

This is a cryptographically signed message in MIME format.

--------------ms070503010103010702020306
Content-Type: multipart/mixed; boundary="------------010406090802070108060107"

This is a multi-part message in MIME format.
--------------010406090802070108060107
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Folks,

Thanks to those of you who already sent me results from the DNS query,
which tests whether your firewall (and config) allow UDP-encapsulated
DNS response messages greater than 512 bytes (and also tests whether
your firewall/application proxy blocks AAAA records):

dig hk ns +bufsize=4096 @203.119.2.18


I'm gathering test results to help determine a "least impact" path to
introduce AAAA records of root name servers in the root hints and
initial (priming) response.

The first set of results are included below. There were many duplicates
for the popular firewalls and versions.

I am still looking to expand this table with firewall products from
Symantec, Cyberguard, Lucent, Barricade, TopLayer, SteelGate, HotBrick,
InGate, et. al.

If you run a firewall that is not yet on this list, would be willing to
try the dig and send me the result/output as well as the firewall,
version, and any unique policy you configured to allow the response to
pass, I would be extremely grateful. I will not be associating nor
publishing any company or personal information with the results (what
you see in the table below is essentially what will be published).

---------------------------------------------------

Product Version Action when AAAA Action when DNS
RR encountered response > 512

Juniper/
Netscreen 5.4r2
5.30r3
4.0.3r4.0 Allow Allow

Sonicwall 3.1.0.7-77s Allow Allow

Cisco PIX 7.2.1 Allow Allow

Cisco PIX 6.2.5 Allow Deny

Cisco PIX 6.3.5 Allow Allow**1

Cisco C2600 IOS 12.2(37) Allow Allow

Watchguard
Firebox X 1000 Fireware v8.2 Allow Allow

Secure Computing
Sidewinder 5.2.1,
6.1.2.00 Allow Allow

Fortinet
Fortigate 60 3.0.x Allow Allow

Checkpoint
Firewall-1 NG, R55 Allow Allow

**1 Firewall configuration includes "fixup protocol dns maximum-length
1500".


--------------010406090802070108060107
Content-Type: text/x-vcard; charset=utf-8;
name="dave.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="dave.vcf"

begin:vcard
fnavid Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@corecom.com
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard


--------------010406090802070108060107--

--------------ms070503010103010702020306
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIII/zCC
AtowggJDoAMCAQICEF0LYBAiw6o0EV6S7w7ELuowDQYJKoZIhv cNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdH kpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB 4XDTA2MDgwNzE2NDI1MFoX
DTA3MDgwNzE2NDI1MFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZW VtYWlsIE1lbWJlcjEfMB0G
CSqGSIb3DQEJARYQZGF2ZUBjb3JlY29tLmNvbTCCASIwDQYJKo ZIhvcNAQEBBQADggEPADCC
AQoCggEBAK00H3a4L9AWWyB6EeuQCuV6a5XECMgTsEvx/5NgXXlokyB9al+etDSm0IdI5Rhc
8ItOtfp0HSV2SkqDrLY+qtJ60wBn73KjpPqthpma4PV9H6OXKI 5RzLk7ePn9aOxONihd9JAD
XDkNTzTkuaogmgOY1enGsafG26Rc+G+z4QusPZelXqaSKwB4+e 3QZTKkPX+UGC0rVHNBOh35
3LY+B6wE3p5rlhDtOeQ9SgDAqR9XXX5bV8wD6ZAaT9DxAU2Jrr RTFSBvhO7zr9z9OAG1tJmP
WbJbNB2lM9EAPU0iQvB82Iz1cXtizYvrdf5H/eznFsRaxlELuZuYbBHw38DCwPkCAwEAAaMt
MCswGwYDVR0RBBQwEoEQZGF2ZUBjb3JlY29tLmNvbTAMBgNVHR MBAf8EAjAAMA0GCSqGSIb3
DQEBBQUAA4GBAG4dtrniVWF3ntg2aYaCCZX/oOOTZf8aXtB6bP7WqiGuPxbv019+Ijbd+czp
dDavh9ovWtYM2++xK9d5Jp+NrfHamZCo4V12WLM/YnTPedcgMLpf8GNdW951A7Rnc2D74iNC
NChO6/qJIhLQCm/iGiWg19J8R0WvIBPBJfzANzQvMIIC2jCCAkOgAwIBAgIQXQtgE CLDqjQR
XpLvDsQu6jANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQT ElMCMGA1UEChMcVGhhd3Rl
IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3 RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDYwODA3MTY0MjUwWhcNMDcwOD A3MTY0MjUwWjBCMR8wHQYD
VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhv cNAQkBFhBkYXZlQGNvcmVj
b20uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ EArTQfdrgv0BZbIHoR65AK
5XprlcQIyBOwS/H/k2BdeWiTIH1qX560NKbQh0jlGFzwi061+nQdJXZKSoOstj6q0n rTAGfv
cqOk+q2GmZrg9X0fo5cojlHMuTt4+f1o7E42KF30kANcOQ1PNO S5qiCaA5jV6caxp8bbpFz4
b7PhC6w9l6VeppIrAHj57dBlMqQ9f5QYLStUc0E6Hfnctj4HrA TenmuWEO055D1KAMCpH1dd
fltXzAPpkBpP0PEBTYmutFMVIG+E7vOv3P04AbW0mY9Zsls0Ha Uz0QA9TSJC8HzYjPVxe2LN
i+t1/kf97OcWxFrGUQu5m5hsEfDfwMLA+QIDAQABoy0wKzAbBgNVHRE EFDASgRBkYXZlQGNv
cmVjb20uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAbh22ueJVYXee2DZp
hoIJlf+g45Nl/xpe0Hps/taqIa4/Fu/TX34iNt35zOl0Nq+H2i9a1gzb77Er13kmn42t8dqZ
kKjhXXZYsz9idM951yAwul/wY11b3nUDtGdzYPviI0I0KE7r+okiEtAKb+IaJaDX0nxHRa8g
E8El/MA3NC8wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQ QGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYX BlIFRvd24xGjAYBgNVBAoT
EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2 F0aW9uIFNlcnZpY2VzIERp
dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW 1haWwgQ0ExKzApBgkqhkiG
9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHh cNMDMwNzE3MDAwMDAwWhcN
MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UECh McVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbm FsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPF VzVftOucqZWh5owHUEcJ3f
6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3c nwK4Vaqj9xVsuvPAsH5/Ef
kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7
AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw
Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbW FpbENBLmNybDALBgNVHQ8E
BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdG VMYWJlbDItMTM4MA0GCSqG
SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlp Sdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd 2pnDmOjCBPZV+V2vf3h9bG
CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZD CCA2ACAQEwdjBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKF B0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0 ECEF0LYBAiw6o0EV6S7w7E
LuowCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSI b3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMDcwMTA0MTQ0MDEwWjAjBgkqhkiG9w0BCQQxFgQUry o6qIHkygT+F7WDyEN/rwyk
Q5UwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhk iG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCS sGAQQBgjcQBDF4MHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW 5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW 5nIENBAhBdC2AQIsOqNBFe
ku8OxC7qMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBh MCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1 RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAhBdC2AQIsOqNBFeku8OxC7qMA 0GCSqGSIb3DQEBAQUABIIB
AAdo6FbmueJPYCCU44GSGA7yQKyXEp0vhvABIrsT6ncYaag8rG 9LNG/9P54hNOSqZsK5Aj9d
xQTA3qRUCtIDKItt5cGqI5yQaWHwuQlhLwsnSjTO2p3g/ZUq9XvWbX0JPa/B/1sx+Jqi4daY
DYFHisY/wZaSAhdXxXfxEnCKT6yTntc9BVpeAHl/ZcLXlivfAw3PUycrZOqBIE345AoszIXM
opwtUx2A56SDcPYICyiWotFYAvrMu072snwgkjHY9gNmdtwY/WYQpfOdCUC1eG/7SZFKEnqD
a/W6OpqcWM61UZvShApRbMWkBuFngesX3WteaLWLLXSmBqxs7nhN 9XgAAAAAAAA=
--------------ms070503010103010702020306--

--===============0864548972==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0864548972==--