On Mon, Sep 01, 2008 at 10:45:02AM -0700, [EMAIL PROTECTED] wrote:
> Title : Preventing Use of Recursive Nameservers in Reflector
> Attacks
> Author(s) : J. Damas, F. Neves
> Filename: draft-ietf-dnsop-reflectors-are-evil-06.txt
> Pages :
(resent due to list hiccups - if anyone gets multiple messages, I
apologize)
I would also mention in the text that this problem applies to a zone
migrating from NSEC to NSEC3 (when using RSA/SHA-1) The algorithm
code is used to signal it so it would appear to resolvers as two
different al
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
>
> What I'm getting from this is that the keyset at the apex must (at
> least) be signed by each algorithm in the DS referral, and every rrset
> in the zone must be signed by each algorithm in the apex keyset.
>
>> which is
