It is important to use DNS inspection and update it for up coming DNSSEC. Here is how to enable your ASA to work with DNSSEC.

Required: Cisco ASA running software version 8.2.2 or later
Cisco Documentation

CLI Configuration:

ciscoasa# configure terminal
ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# message-length maximum client auto
ciscoasa(config-pmap-p)# write memory

You can now exit your SSH connection.

ciscoasa# show running-config

You should see this somewhere in your configuration now:

policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect dns preset_dns_map


Note: The message-length maximum 512 should already be there from the inspection defaults.


ASDM Configuration: