[dns-operations] Announcement - DNS flag day on 2019-02-01
Mark Andrews
marka at isc.org
Thu Jun 14 05:02:40 UTC 2018
> On 14 Jun 2018, at 6:51 am, Florian Weimer <fw at deneb.enyo.de> wrote:
>
> * Petr Špaček:
>
>> you might be interested in information about "DNS flag day" coordinated
>> by open-source DNS vendors and is planned for 2019-02-01
>> (February 1st 2019).
>>
>> Further information can be found on
>> https://dnsflagday.net/
>
> Is there still no reduction of EDNS buffer size to around 1200 bytes?
> Isn't it time after ten years to address that particular
> vulnerability?
If you are talking about fragmentation reassembly attacks you need to
use something with a cryptographic hash independent of EDNS. TSIG with
a well known key and a 64 bit nonce in extra data of the TSIG record
would suffice. One may be able to get away without the nonce but a
cryptographer would need to check if there is enough variability (time, id)
in the query without it.
e.g.
key name = “.”
key algorithm = “hmac-sha256”
key secret = all zeros.
For BIND 9 adding this to named.conf would allow named to answer such a client.
Named does not enforce that the extra data field is empty. It just computes the
signature with the presented data. Other implementations may vary.
key "." {
algorithm hmac-sha256;
secret "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list