[dns-operations] Spoofing DNS with fragments
rharolde at umich.edu
Wed Sep 12 14:43:40 UTC 2018
On Tue, Sep 11, 2018 at 5:38 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
> > On Sep 11, 2018, at 5:26 PM, Paul Vixie <paul at redbarn.org> wrote:
> > I think what's interesting about this latest rendition of the
> fragmentation attack (first told to me by florian in 2008 or so, and
> independently rediscovered several times since then) is not that a proof of
> concept was able to get someone to make a certificate for the attacker
> using the victim's identity because dnssec was relied upon for transaction
> > rather, it's that dnssec cannot be relied upon, after all.
> I have not seen any evidence that shows that forgery of anything other
> than unsigned glue is possible via this attack in the presence of DNSSEC.
Seems to me that we should sign the glue (and any other unsigned records)
so that we can verify and trust the whole answer (and whole domains). I
know that won't be easy, but it seems like the right solution to me.
> Have you? Of course if the CA's resolver is not validating or the
> victim's zone is not signed then DNSSEC can't help. But in all
> other cases, only a DoS via broken glue should be possible, or
> someone's implementation is cutting corners.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations