Hi Shane On Tue, Sep 29, 2015 at 12:02:19PM +0000, Shane Kerr wrote: > If a checksum is added it will probably show up in the final fragment. > An attacker now needs to insure that the final fragment shows up before > the final fragment from the real authority server. This is not too > difficult, since the attacker is already preparing an attack that > depends on fragments arriving before the non-spoofed fragments.... > unless the resolver has an indication that an authority server supports > checksumming.
As you have pointed out, there is currently no way to gather this
reliably. One can only deal with it by implementing the option as
"SHOULD-return-a-checksum" for now, wait for implementations to pick up,
and then make it a "MUST-return-a-checksum-or-use-TCP" some day in the
near future.
If this was implemented in EDNS from day 1, EDNS support would have
implied checksums. Of course, it's possible to break this too, but the
client has to make the choice of throwing it away and using TCP then.
Mukund
pgpEmNBwfQGug.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
