--- Begin Message ---
Hi
The .sl ccTLD (Sierra Leone) is being used as an amplifier for reflection
attacks.
It looks like the domain is horribly misconfigured:
1) It has 4 keys:
- Two KSK's each one *4096* in size
- Two ZSK each 2048
2) *ALL* keys are used to sign DNSKEY records, resulting in 4 DNSKEY RRSIG
3) All other records are signed twice
4) All algos are 7
5) There is no DS in the root, this TLD is not DNSSEC validated
As a result,
The reply size of "dig sl any" is 5814 (!)
Again, this is being used as an amplifier for reflection attacks (victims
referred to us for help).
If anyone knows someone there who can fix this?
Thanks,
Meir Kraushar
ISOC-IL
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
