[dns-operations] DNS Attack over UDP fragmentation

Florian Weimer fw at deneb.enyo.de
Thu Sep 5 19:31:53 UTC 2013

* Paul Vixie:

> how much more money, brains, and time are we going to collectively waste
> on dns (so, a WOMBAT) to solve the problems dnssec solves, rather than
> just deploying dnssec?

Because DNSSEC does not prevent cache poisoning, it only detects it.
Once your cache is poisoned, it is difficult to continue.  I doubt
many resolvers can tell a successful cache poisoning attack from a
plain old mis-signed zone or other DNSSEC mishap.  Unbound tries to do
better, but the protocol makes that ridiculously difficult because
it's so hard to obtain signatures of the name servers you want to
query.  In retrospect, not signing delegations and glue was a huge

More information about the dns-operations mailing list