On Mar 19, 2010, at 9:10 AM, George Barwood wrote: > >>> It cuts the response from 4K to 1.5K, and I think fragmentation that >>> contributes >>> to these attacks being damaging. > >> All I need to do is find a set of open resolvers which don't have such >> limits to do juuust fine. > > Eventually the open resolvers will get updated, and thus these attacks will > be effectively limited. > I don't think anyone has conclusively proved they are not a risk.
HAHAHA. Not bloodly likely IMO: a lot of the "open resolvers" are broken end-user NATS and similar. Those will only be updated sometime around when hell freezes over. > >> Actually, this doesn't apply, since the reason why ns.se is 2700B is all the >> RRSIGs in the additional section, which are after the A and AAAA records. >> So spoofing this part of the datagrams is pointless anyway, since that only >> has meaning if DNSSEC validation IS performed. > > Hold on - can't the spoofer can put whatever he likes in the fragment!? He is > not limited to RRSIGs. Hmm, you're right, IF the A records are accepted in the additional section, true, A records could be added to the RRSET for some of the names. But frankly speaking, thats "ADDITIONAL", and shouldn't really be accepted at all, and if the resolver DOES cache it, I'd personally call it a bug. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
