[dns-operations] DNS Attack over UDP fragmentation
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Sep 6 07:49:28 UTC 2013
On Thu, Sep 05, 2013 at 02:54:18PM -0700,
Paul Vixie <paul at redbarn.org> wrote
a message of 68 lines which said:
> Florian Weimer wrote:
> >
> > Because DNSSEC does not prevent cache poisoning, it only detects it.
>
> i do not understand this statement.
The way I understand it: with Kaminsky and/or Shulman, you can still
poison a DNS cache. The downstream validating resolver will detect it
and send back SERVFAIL to the end user. But this end user won't be
able to connect to his/her bank.
So, DNSSEC turned the poisoning attack from a hijacking attack to a
DoS.
Now, the question is: "for an attacker, is it the simplest way to do a
DoS?" IMHO, no, so I'm not too worried about it and I still believe in
DNSSEC.
More information about the dns-operations
mailing list