[dns-operations] Spoofing DNS with fragments

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 11 21:36:32 UTC 2018



> On Sep 11, 2018, at 5:26 PM, Paul Vixie <paul at redbarn.org> wrote:
> 
> I think what's interesting about this latest rendition of the fragmentation attack (first told to me by florian in 2008 or so, and independently rediscovered several times since then) is not that a proof of concept was able to get someone to make a certificate for the attacker using the victim's identity because dnssec was relied upon for transaction authenticity.
> 
> rather, it's that dnssec cannot be relied upon, after all.

I have not seen any evidence that shows that forgery of anything other
than unsigned glue is possible via this attack in the presence of DNSSEC.

Have you?  Of course if the CA's resolver is not validating or the
victim's zone is not signed then DNSSEC can't help.  But in all
other cases, only a DoS via broken glue should be possible, or
someone's implementation is cutting corners.

-- 
	Viktor.


-- 
	Viktor.





More information about the dns-operations mailing list