[dns-operations] DNS Attack over UDP fragmentation

Paul Vixie paul at redbarn.org
Sat Sep 7 05:16:24 UTC 2013

Mark Andrews wrote:
> In message <20130906074928.GA19567 at nic.fr>, Stephane Bortzmeyer writes:
>> ...
>> The way I understand it: with Kaminsky and/or Shulman, you can still
>> poison a DNS cache. The downstream validating resolver will detect it
>> and send back SERVFAIL to the end user. But this end user won't be
>> able to connect to his/her bank.
> Well if you only half deploy DNSSEC this will happen.
> It is a myth that caches do not need to deploy DNSSEC.

i don't think that's the myth in question here. mark, if a vrdns sees
unsigned data or a bad signature, how long will it return servfail for
that rrset? just once, and there's no negative cache at all? many times,
to all downstream transactions waiting on that resolution, but still no
lasting effect? or is there some kind of hold-down, as with other
servfail-generative conditions, such that a successful fragment attack
that broke DNSSEC for a real answer, this attack would deny service for
that rrset from this vrdns for some minutes? --paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130906/df44f34d/attachment.html>

More information about the dns-operations mailing list