[dns-operations] DNS Attack over UDP fragmentation

ondrej.sury at nic.cz ondrej.sury at nic.cz
Wed Sep 4 16:41:52 UTC 2013

On 2013-09-04 18:12, Paul Vixie wrote:
> how much more money, brains, and time are we going to collectively 
> waste
> on dns (so, a WOMBAT) to solve the problems dnssec solves, rather than
> just deploying dnssec? i understood why, during the 2008 summer of 
> fear,
> we had to focus our efforts on source port randomization. but it's 2013
> now. unless someone finds a fragmentation-based attack that works on
> dnssec, then i think we can safely tell anyone who is worried that 
> their
> authority data or recursive server is vulnerable to fragmentation-based
> attacks, that they ought to just deploy dnssec.


the problem is that it needs to deployed on both sides otherwise it will
just make things evey worse, so I don't think we can flush this by just
saying "enable DNSSEC now".  At least the parties that have some 
can't (e.g. registries, registrars, DNS operators).  We definitely 
say "enable DNSSEC" if you want to be protected (and we are saying that
even longer than from summer 2008), but we also need to ensure we do
everything we can to secure those who don't.


More information about the dns-operations mailing list