[dns-operations] Spoofing DNS with fragments

Bob Harold rharolde at umich.edu
Wed Sep 12 14:43:40 UTC 2018


On Tue, Sep 11, 2018 at 5:38 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

>
>
> > On Sep 11, 2018, at 5:26 PM, Paul Vixie <paul at redbarn.org> wrote:
> >
> > I think what's interesting about this latest rendition of the
> fragmentation attack (first told to me by florian in 2008 or so, and
> independently rediscovered several times since then) is not that a proof of
> concept was able to get someone to make a certificate for the attacker
> using the victim's identity because dnssec was relied upon for transaction
> authenticity.
> >
> > rather, it's that dnssec cannot be relied upon, after all.
>
> I have not seen any evidence that shows that forgery of anything other
> than unsigned glue is possible via this attack in the presence of DNSSEC.
>

Seems to me that we should sign the glue (and any other unsigned records)
so that we can verify and trust the whole answer (and whole domains).  I
know that won't be easy, but it seems like the right solution to me.

-- 
Bob Harold


> Have you?  Of course if the CA's resolver is not validating or the
> victim's zone is not signed then DNSSEC can't help.  But in all
> other cases, only a DoS via broken glue should be possible, or
> someone's implementation is cutting corners.
>
> --
>         Viktor.
>
>
> --
>         Viktor.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180912/fa26f10a/attachment.html>


More information about the dns-operations mailing list