[dns-operations] DNS Attack over UDP fragmentation

Paul Wouters paul at nohats.ca
Sat Sep 7 19:07:21 UTC 2013

On Sat, 7 Sep 2013, Florian Weimer wrote:

> Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?

Why sign that when you have the DNSKEY via the DS anyway. You shouldn't
care which IP answers and whether they can spoof it. If one IP fails,
try another. If the attacker can rewrite all of that, you should
probably not be on that network.

> So even a hypothetical resolver that avoids long-term caching of bad,
> DNSSEC-signed data will still go belly-up if it ever learns incorrect
> address information for the root zone.
> Now you can special-case ROOT-SERVERS.NET, but it's quite common to
> host the name servers in unsigned zones (GTLD-SERVERS.NET, NSTLD.COM,
> GOV-SERVERS.NET, GTLD.BIZ, and so on).

If they can do all of that, they can also just send TCP RST packets.
What _are_ you doing on such a network?


More information about the dns-operations mailing list