[dns-operations] DNS Attack over UDP fragmentation

Daniel Kalchev daniel at digsys.bg
Fri Sep 6 13:29:48 UTC 2013

On 06.09.2013, at 10:49, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie <paul at redbarn.org> wrote 
> a message of 68 lines which said:
>> Florian Weimer wrote:
>>> Because DNSSEC does not prevent cache poisoning, it only detects it.
>> i do not understand this statement.
> The way I understand it: with Kaminsky and/or Shulman, you can still
> poison a DNS cache. The downstream validating resolver will detect it
> and send back SERVFAIL to the end user. But this end user won't be
> able to connect to his/her bank.
> So, DNSSEC turned the poisoning attack from a hijacking attack to a
> DoS.

Might be the appropriate time to think how to depend less on caching is now?
Or cache only after validation?


More information about the dns-operations mailing list