On 09/04/2013 04:50 PM, Ondřej Surý wrote: > BTW just to complete my question in first email - is there a agreement that > this is serious and needs to be addressed? >
Just had a quick read and here are some random thoughts (staying out of solution space for now): Fragmentation has long been known to be a security hazard, so I certainly think this is plausible. The initial requirements to pull this off seem a bit more than for the original attack (however once they are there it is easier). Funny how having DNSSEC but not validating it makes it worse (and something to remember when turning on NTA). Also reminds me to look at the tcp-only thing again. I'd love to see a PoC and try it out here. Jelte _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
