On Wed, Jul 10, 2019 at 2:21 AM Mark Andrews <ma...@isc.org> wrote:

> I’ve written up a method to defeat UDP fragmentation attacks using TSIG.
>
> https://tools.ietf.org/html/draft-andrews-dnsop-defeat-frag-attack-00
>
> If we are going to discuss methods to defeat such attacks this should be
> considered.
>
> --
> Mark Andrews, ISC
>

 Looks like a useful workaround.

2. The Well Known Key

The well known key has a owner name of "." and uses HMAC-SHA256
[RFC4635] as its algorithm with a key of 256 zero bits.


-- but later:

A.1. BIND 9

Add the following to named.conf. Some end-of-life versions do not
support HMAC-SHA256.

key "." {
algorithm hmac-sha256;
secret "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};


-- Does a key of 256 zeros translate to a string of "A" characters?  I am
not an expert on HMAC-SHA256.

-- 
Bob Harold
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to