In message <[email protected]>, "Terry Mander son" writes: > > I would also like to see the observation made that no public AXFR service > (that I am aware of) uses TSIG, so the fetching party is at the general > risk exposure of non-TSIG AXFR. Not so much in terms of modifying data in > the zone (as it's signed and the DNSSEC support on the recursive resolver > is a MUST) but in a MiTM effort to simply withhold new versions of the > root zone in a DoS frame.
And how would plain TSIG help? TKEY and subsequent TSIG can ensure that you are talking to the server you think you are but nothing can prevent a MiTM DoS. > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
