[dns-operations] Spoofing DNS with fragments

p vixie paul at redbarn.org
Wed Sep 12 17:15:03 UTC 2018


If there is only one very narrow path to implemention of dnssec that will be secure, then that should be part of the specification.
-- 
p vixie

----- Original Message -----
From: Florian Weimer <fweimer at redhat.com>
Sent: 2018-09-12 - 08:00
To: Mark Andrews <marka at isc.org>, Paul Vixie <paul at redbarn.org>
Subject: Re: [dns-operations] Spoofing DNS with fragments

> On 09/12/2018 12:50 AM, Mark Andrews wrote:
>> TSIG with a well known key doesn’t require a flag day.
> 
> I'm worried that using TSIG will require a flag day eventually, just 
> like EDNS.
> 
> The buffer size hack, combined with kernel assistance on some systems, 
> looks much more promising, and it only requires fixing the authoritative 
> server side, too.
> 
> Thanks,
> Florian






More information about the dns-operations mailing list