On 17.09.18 02:27, Mark Andrews wrote:
Actually having the clients time and fudge in those fields for BADKEY provides spoofing protection for the unsigned responses. This is especially important with opportunistic TSIG,which is what TSIG with a WKK will be, as there is no longer the presumption that server is configured for the key that there was when TSIG was originally drafted. It’s all about getting answers through acceptance filters.
Hi Mark,
thanks for the explanation, this sounds reasonable, I will fix our software in the next release.
Regards, Klaus _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
