## page was copied from DNS/FCP/name_server_blocking == DNS/FCP/論文の構成 == <> <> Introduction の最後の部分です。-- ToshinoriMaeno <> ---- We summarise all our attacks, with their requirements,in Table 1. The requirements are explained in Section 2; for now, it suffices to mention that they all reflect com- mon situations in the current DNS, many of which are not expected to change, even if DNSSEC is fully, universally and correctly deployed. The main exception is attacks which require partial or incorrect DNSSEC deployment; however, not only is this requirement currently often satisfied, but it is also required only for the ‘domain hijacking’ attack. In fact, ironically, the use of DNSSEC is often what provides necessary requirements for our attacks to work. Specifically, all of our attacks require ‘Fragmentable zone’, implying fragmented DNS responses; and three of the attacks require ‘Poisonable zone’, implying that the second fragment contains complete resource record(s), from the ‘authority’ and/or ‘additional’ sections. More details on the requirements are presented within. {{{ DNSSEC requires long resource records (RRs) which results in long DNS responses. Long DNS responses (i.e., above 512 byte) require support of the EDNS extension mechanism, [35], and often fragmented when sent over UDP, since their size exceeds the path MTU. It is exactly this fragmentation that facilitates our attacks; e.g., we show that off-path attackers can often replace the sec ond fragment of a packet, resulting in a seemingly-valid, yet fake, DNS response, or ‘merely’ causing corruption of the DNS response. Fragmentation is known to be problematic or ‘harmful’, mainly due to the negative impact on performance; see the seminal paper of Kent and Mogul [23]. As a result, fragmentation is usually avoided, e.g., by use of path MTU discovery [28, 29], mainly for connection-based transport protocol (TCP). However, DNS traffic is usually sent over UDP; while several significant name servers, e.g., com, edu, send long responses over TCP, this may not be a good long-term solution, since the use of TCP results in significant overhead. }}} == Contributions == {{{ Incremental DNSSEC Deployment is Vulnerable Subdomain Injection Unsigned Delegation We suggest attacks exploiting unsigned NS and A delegation records, breaching privacy and anonymity, and inflicting denial/degradation of service. Name Server (NS) Blocking We introduce the name server blocking technique, which allows an attacker to force the resolver to stop using a particular name server, and eventually, to query a name server of attacker’s choice, e.g., a compromised name server, when resolvers strictly follow RFC 4697 [25] }}}