[dns-operations] summary of recent vulnerabilities in DNS security.

Tony Finch dot at dotat.at
Tue Oct 22 09:48:52 UTC 2013

Colm MacCárthaigh <colm at stdlib.net> wrote:
> This thread concerns the vulnerabilities uncovered in the fragment
> attacks. One of those vulnerabilities is that domains can be rendered
> unresolvable; even when DNSSEC is enabled. That seems like something
> to take seriously.

I am incresingly doubtful that EDNS buffer sizes greater than the MTU are
a good idea.

Apart from avoiding fragments, are there other ways to mitigate this
attack? Perhaps by adjusting the way the recursive server handles lame
authorities, perhaps by making it more eager to re-fetch the delegation
from the parent authorities?

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list