[dns-operations] DNS Attack over UDP fragmentation

Joe Abley jabley at hopcount.ca
Mon Sep 9 14:43:32 UTC 2013

On 2013-09-07, at 15:07, Paul Wouters <paul at nohats.ca> wrote:

> On Sat, 7 Sep 2013, Florian Weimer wrote:
>> Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?
> Why sign that when you have the DNSKEY via the DS anyway. You shouldn't
> care which IP answers and whether they can spoof it. If one IP fails,
> try another. If the attacker can rewrite all of that, you should
> probably not be on that network.

Indeed, the only reason to sign ROOT-SERVERS.NET I have heard is that we want people to sign, and we want to set a good example, so signing that zone would be a good idea. I have not heard a convincing security argument for signing it. If there was a good reason, it could be signed.


More information about the dns-operations mailing list