[dns-operations] DNS Attack over UDP fragmentation
Mark Andrews
marka at isc.org
Sat Sep 7 05:06:47 UTC 2013
In message <20130906074928.GA19567 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie <paul at redbarn.org> wrote
> a message of 68 lines which said:
>
> > Florian Weimer wrote:
> > >
> > > Because DNSSEC does not prevent cache poisoning, it only detects it.
> >
> > i do not understand this statement.
>
> The way I understand it: with Kaminsky and/or Shulman, you can still
> poison a DNS cache. The downstream validating resolver will detect it
> and send back SERVFAIL to the end user. But this end user won't be
> able to connect to his/her bank.
Well if you only half deploy DNSSEC this will happen.
It is a myth that caches do not need to deploy DNSSEC.
> So, DNSSEC turned the poisoning attack from a hijacking attack to a
> DoS.
Proper deployment of DNSSEC requires that the cache does validation.
> Now, the question is: "for an attacker, is it the simplest way to do a
> DoS?" IMHO, no, so I'm not too worried about it and I still believe in
> DNSSEC.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list