[dns-operations] DNS Attack over UDP fragmentation

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Sep 6 07:49:28 UTC 2013

On Thu, Sep 05, 2013 at 02:54:18PM -0700,
 Paul Vixie <paul at redbarn.org> wrote 
 a message of 68 lines which said:

> Florian Weimer wrote:
> >
> > Because DNSSEC does not prevent cache poisoning, it only detects it.
> i do not understand this statement.

The way I understand it: with Kaminsky and/or Shulman, you can still
poison a DNS cache. The downstream validating resolver will detect it
and send back SERVFAIL to the end user. But this end user won't be
able to connect to his/her bank.

So, DNSSEC turned the poisoning attack from a hijacking attack to a

Now, the question is: "for an attacker, is it the simplest way to do a
DoS?" IMHO, no, so I'm not too worried about it and I still believe in

More information about the dns-operations mailing list