[dns-operations] DNSSEC and Re: DNS Attack over UDP fragmentation
fw at deneb.enyo.de
Sat Sep 7 18:14:32 UTC 2013
* Edward Lewis:
> The above has a few non-sequiters. First, yes, the cache poisoning
> is prevented, after it is detected. What you are complaining though
> is that this means the end user is blocked from reaching the desired
> service - as a result of the poisoning being thwarted.
Yes, that's what would happen.
I just want to point out that *if* there's a trivial spoofing attack
(comprising a few thousand packets, but not billions) against DNS, we
still have a problem. DNSSEC is not a cure for problems on the
transport layer or below.
More information about the dns-operations