[dns-operations] DNS Attack over UDP fragmentation
Daniel Kalchev
daniel at digsys.bg
Fri Sep 6 13:29:48 UTC 2013
On 06.09.2013, at 10:49, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie <paul at redbarn.org> wrote
> a message of 68 lines which said:
>
>> Florian Weimer wrote:
>>>
>>> Because DNSSEC does not prevent cache poisoning, it only detects it.
>>
>> i do not understand this statement.
>
> The way I understand it: with Kaminsky and/or Shulman, you can still
> poison a DNS cache. The downstream validating resolver will detect it
> and send back SERVFAIL to the end user. But this end user won't be
> able to connect to his/her bank.
>
> So, DNSSEC turned the poisoning attack from a hijacking attack to a
> DoS.
>
Might be the appropriate time to think how to depend less on caching is now?
Or cache only after validation?
Daniel
More information about the dns-operations
mailing list