On 23. 02. 25 13:25, Meir Kraushar via dns-operations wrote:
Hi
The .sl ccTLD (Sierra Leone) is being used as an amplifier for
reflection attacks.
It looks like the domain is horribly misconfigured:
1) It has 4 keys:
- Two KSK's each one *4096* in size
- Two ZSK each 2048
2) *ALL* keys are used to sign DNSKEY records, resulting in 4 DNSKEY RRSIG
3) All other records are signed twice
4) All algos are 7
5) There is no DS in the root, this TLD is not DNSSEC validated
As a result,
The reply size of "dig sl any" is 5814 (!)
Again, this is being used as an amplifier for reflection attacks
(victims referred to us for help).
If anyone knows someone there who can fix this?
I agree sl TLD has _very_ unusual configuration, but their servers don't
send ANY responses over UDP, so it should not be a problem by itself. I
would think the problem is someone else's servers which are willing to
send oversized UDP answers, ignoring not only
https://www.dnsflagday.net/2020/ but also the very old 4096 byte
'default' buffer size for EDNS0.
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
