Otto Moerbeek <o...@drijf.net> wrote: > On Wed, Feb 14, 2024 at 04:55:20AM +0100, b...@fea.st wrote: > > > “A single packet can exhaust the processing > > capacity of a vulnerable DNS server, effectively > > disabling the machine, by exploiting a > > 20-plus-year-old design flaw in the DNSSEC > > specification. > > > > https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ > > To be clear, this does not mean DNSSEC is cryptographically broken. > > The RFCs specifying the DNSSEC validation algorithm do not take into > account potential resource usage validating many potential signatures > so the implementations following the RFCs suffered from the same. > > By constraining the amount of work (limiting the potential signatures > considered) while validating these issues are worked around.
Otto you just don't believe the sky is falling.
