[dns-operations] DNSSEC and Re: DNS Attack over UDP fragmentation

[Florian Weimer]

* Edward Lewis:

> The above has a few non-sequiters.  First, yes, the cache poisoning
> is prevented, after it is detected.  What you are complaining though
> is that this means the end user is blocked from reaching the desired
> service - as a result of the poisoning being thwarted.

Yes, that's what would happen.

I just want to point out that *if* there's a trivial spoofing attack
(comprising a few thousand packets, but not billions) against DNS, we
still have a problem.  DNSSEC is not a cure for problems on the
transport layer or below.