[dns-operations] DNS Attack over UDP fragmentation

[Paul Vixie]

how much more money, brains, and time are we going to collectively waste
on dns (so, a WOMBAT) to solve the problems dnssec solves, rather than
just deploying dnssec? i understood why, during the 2008 summer of fear,
we had to focus our efforts on source port randomization. but it's 2013
now. unless someone finds a fragmentation-based attack that works on
dnssec, then i think we can safely tell anyone who is worried that their
authority data or recursive server is vulnerable to fragmentation-based
attacks, that they ought to just deploy dnssec.