Thanks for explaining that. I leave it up to you if a comment to that affect in the draft would avoid the same question in the future.
-- Bob Harold On Wed, Jul 10, 2019 at 5:12 PM Mark Andrews <ma...@isc.org> wrote: > AAAA is the base64 encoding of 3 zero octet. If named was using a hex > encoding it would be 000000. > > -- > Mark Andrews > > On 11 Jul 2019, at 06:45, Bob Harold <rharo...@umich.edu> wrote: > > > On Wed, Jul 10, 2019 at 2:21 AM Mark Andrews <ma...@isc.org> wrote: > >> I’ve written up a method to defeat UDP fragmentation attacks using TSIG. >> >> https://tools.ietf.org/html/draft-andrews-dnsop-defeat-frag-attack-00 >> >> If we are going to discuss methods to defeat such attacks this should be >> considered. >> >> -- >> Mark Andrews, ISC >> > > Looks like a useful workaround. > > 2. The Well Known Key > > The well known key has a owner name of "." and uses HMAC-SHA256 > [RFC4635] as its algorithm with a key of 256 zero bits. > > > -- but later: > > A.1. BIND 9 > > Add the following to named.conf. Some end-of-life versions do not > support HMAC-SHA256. > > key "." { > algorithm hmac-sha256; > secret "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; > }; > > > -- Does a key of 256 zeros translate to a string of "A" characters? I am > not an expert on HMAC-SHA256. > > -- > Bob Harold > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
