On Wed, Feb 14, 2024 at 04:55:20AM +0100, b...@fea.st wrote:
> “A single packet can exhaust the processing
> capacity of a vulnerable DNS server, effectively
> disabling the machine, by exploiting a
> 20-plus-year-old design flaw in the DNSSEC
> specification.
>
> https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
To be clear, this does not mean DNSSEC is cryptographically broken.
The RFCs specifying the DNSSEC validation algorithm do not take into
account potential resource usage validating many potential signatures
so the implementations following the RFCs suffered from the same.
By constraining the amount of work (limiting the potential signatures
considered) while validating these issues are worked around.
-Otto
