On Mon, Jul 20, 2015 at 08:03:36AM -0400, Ted Lemon <ted.le...@nominum.com> wrote a message of 72 lines which said:
> So now I can intercept a query to a site I want to attack, respond > with a cookie, and now that site is on the supports-cookie list. > So if it doesn’t support cookies, the cookie-supporting cache will > see a server failure, and now that domain is offline. This attack requires to be on-path *and* to be active (sending responses). In that case, you don't need cookies to do harm, just send SERVFAIL or REFUSED responses and the resolver will stop querying the victim (the authoritative server). > Whereas DNSSEC actually solves the problem. So if we are going to > incentivize people to implement something, why not incentivize them > to implement DNSSEC, rather than a very limited yet expensive > half-measure? DNSSEC has a limit: it *detects* the false responses, it does not give you the right one. Instead of being hijacked, the domain is DoSed. It is an improvment but it is not sufficient. We still need channel protection, such as SPR and/or cookies and/or TCP. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
