[dns-operations] DNS Attack over UDP fragmentation

Mark Andrews marka at isc.org
Sat Sep 7 05:06:47 UTC 2013

In message <20130906074928.GA19567 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 68 lines which said:
> > Florian Weimer wrote:
> > >
> > > Because DNSSEC does not prevent cache poisoning, it only detects it.
> > 
> > i do not understand this statement.
> The way I understand it: with Kaminsky and/or Shulman, you can still
> poison a DNS cache. The downstream validating resolver will detect it
> and send back SERVFAIL to the end user. But this end user won't be
> able to connect to his/her bank.

Well if you only half deploy DNSSEC this will happen.

It is a myth that caches do not need to deploy DNSSEC.
> So, DNSSEC turned the poisoning attack from a hijacking attack to a
> DoS.

Proper deployment of DNSSEC requires that the cache does validation.
> Now, the question is: "for an attacker, is it the simplest way to do a
> DoS?" IMHO, no, so I'm not too worried about it and I still believe in
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list