[dns-operations] .fr has 5 DNSKEYs

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Jun 4 16:34:03 UTC 2011

On Wed, Jun 01, 2011 at 05:18:03PM +0100,
 George Barwood <george.barwood at blueyonder.co.uk> wrote 
 a message of 20 lines which said:

> Fragmented UDP responses are especially vulnerable to spoofing,
> because of the way IP fragmentation works. The DNS ID field (and UDP
> source port) is only present in the first fragment, so by sending a
> spoof non-first fragments an attacker that can predict the IP ID (
> which might be possible depending on the underlying IP
> implementation ) may be able to spoof a response

I do not see how the attack works: spoofing the non-first fragments is
useless since, if you cannot spoof the first one, the packet won't be
reassembled and the DNS data won't be accepted by the name server.

Do you have a pointer to a detailed description of this attack?

More information about the dns-operations mailing list