[dns-operations] DNS Attack over UDP fragmentation
fw at deneb.enyo.de
Sat Sep 7 17:52:41 UTC 2013
* Mark Andrews:
> In message <20130906074928.GA19567 at nic.fr>, Stephane Bortzmeyer writes:
>> The way I understand it: with Kaminsky and/or Shulman, you can still
>> poison a DNS cache. The downstream validating resolver will detect it
>> and send back SERVFAIL to the end user. But this end user won't be
>> able to connect to his/her bank.
> Well if you only half deploy DNSSEC this will happen.
Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?
So even a hypothetical resolver that avoids long-term caching of bad,
DNSSEC-signed data will still go belly-up if it ever learns incorrect
address information for the root zone.
Now you can special-case ROOT-SERVERS.NET, but it's quite common to
host the name servers in unsigned zones (GTLD-SERVERS.NET, NSTLD.COM,
GOV-SERVERS.NET, GTLD.BIZ, and so on).
> Proper deployment of DNSSEC requires that the cache does validation.
Well, I guess that's progress. :-)
More information about the dns-operations