[dns-operations] .fr has 5 DNSKEYs

George Barwood george.barwood at blueyonder.co.uk
Wed Jun 1 16:18:03 UTC 2011

> I see this as an advantage: debug packet sizes problems today, when
> they do not have practical consequences, before we really depend on

You should be aware that there are some potential security problems.

Fragmented UDP responses are especially vulnerable to spoofing, because
of the way IP fragmentation works. The DNS ID field (and UDP source port)
is only present in the first fragment, so by sending a spoof non-first fragments
an attacker that can predict the IP ID ( which might be possible depending
on the underlying IP implementation ) may be able to spoof a response with
a single or very low number of packets, or in any case using ~2^64 packets.

It's best that the introduction of DNSSEC does not reduce security for
DNS data not protected by DNSSEC.

The other point : is it true that after the detected compomise of a key, having a
rescue key allows security to be restored faster.

You can start signing with rescue key, but the attacker can still forge responses
until the old DNSKEY RRsets have expired. So that's not clear.


More information about the dns-operations mailing list