On Wed, Jul 10, 2019 at 2:21 AM Mark Andrews <ma...@isc.org> wrote: > I’ve written up a method to defeat UDP fragmentation attacks using TSIG. > > https://tools.ietf.org/html/draft-andrews-dnsop-defeat-frag-attack-00 > > If we are going to discuss methods to defeat such attacks this should be > considered. > > -- > Mark Andrews, ISC >
Looks like a useful workaround. 2. The Well Known Key The well known key has a owner name of "." and uses HMAC-SHA256 [RFC4635] as its algorithm with a key of 256 zero bits. -- but later: A.1. BIND 9 Add the following to named.conf. Some end-of-life versions do not support HMAC-SHA256. key "." { algorithm hmac-sha256; secret "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; }; -- Does a key of 256 zeros translate to a string of "A" characters? I am not an expert on HMAC-SHA256. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop