MoinQ:

1. DNS/Bert

DNS/finch

https://ds9a.nl/tmp/powerdns-xs4all-presentatie.pdf

2. dns-operations 2018

[dns-operations] Spoofing DNS with fragments

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017949.html

https://lists.dns-oarc.net/pipermail/dns-operations/2018-September/017950.html

This is mostly a solved problem from the point of view of the low-level 
infrastructure: Current Linux has mitigations DNS servers can use to 
avoid fragmented responses for reasonable response buffer sizes (such as 
1200 bytes) even when ICMP path MTU poisoning is used.

By the way, I'm not sure if DNSSEC mitigates the denial-of-service 
aspect of this vulnerability.  If this attack is simple enough to carry 
out, people will use it to install bad glue for DNSSEC-secured domains, 
blocking successful resolution, just for fun.  There is no alternative 
to lowering the buffer size *and* avoiding fragmentation.