On Wed, Jul 10, 2019 at 2:21 AM Mark Andrews <ma...@isc.org> wrote:
> I’ve written up a method to defeat UDP fragmentation attacks using TSIG.
>
> https://tools.ietf.org/html/draft-andrews-dnsop-defeat-frag-attack-00
>
> If we are going to discuss methods to defeat such attacks this should be
> considered.
>
> --
> Mark Andrews, ISC
>
Looks like a useful workaround.
2. The Well Known Key
The well known key has a owner name of "." and uses HMAC-SHA256
[RFC4635] as its algorithm with a key of 256 zero bits.
-- but later:
A.1. BIND 9
Add the following to named.conf. Some end-of-life versions do not
support HMAC-SHA256.
key "." {
algorithm hmac-sha256;
secret "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
-- Does a key of 256 zeros translate to a string of "A" characters? I am
not an expert on HMAC-SHA256.
--
Bob Harold
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
