[dns-operations] DNS Attack over UDP fragmentation

Florian Weimer fw at deneb.enyo.de
Sat Sep 7 17:52:41 UTC 2013

* Mark Andrews:

> In message <20130906074928.GA19567 at nic.fr>, Stephane Bortzmeyer writes:
>> The way I understand it: with Kaminsky and/or Shulman, you can still
>> poison a DNS cache. The downstream validating resolver will detect it
>> and send back SERVFAIL to the end user. But this end user won't be
>> able to connect to his/her bank.
> Well if you only half deploy DNSSEC this will happen.

Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?

So even a hypothetical resolver that avoids long-term caching of bad,
DNSSEC-signed data will still go belly-up if it ever learns incorrect
address information for the root zone.

Now you can special-case ROOT-SERVERS.NET, but it's quite common to
host the name servers in unsigned zones (GTLD-SERVERS.NET, NSTLD.COM,

> Proper deployment of DNSSEC requires that the cache does validation.

Well, I guess that's progress. :-)

More information about the dns-operations mailing list