Hi all Ref: https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-message-checksums/
A preliminary BIND implementation of DNS message checksums is here: https://github.com/muks/bind9/ .. in the "dns-message-checksums" branch. You can configure BIND as an authoritative server and play with it using dig from the same tree. dig requests a checksum by default (use +nochecksum to disable) and should return output whether the checksum validation passed or not. The exchange can be observed using a packet capture tool such as Wireshark. It uses the experimental EDNS0 OPTION-CODE 65002. Checksum validation MUST fail when the message is poisoned or the nonce mismatches. (Note that currently, BIND as resolver doesn't signal support for the option to servers. Use dig to test it for now.) It implements the draft as specified, adds some behaviors and checksum algorithm that are to be introduced in revision -02. A working copy of that upcoming revision can be seen here: https://users.isc.org/~muks/draft-muks-dnsop-dns-message-checksums.txt Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
