Your Shield is My Sword: A Persistent Denial-of-Service Attack via the Reuse of Unvalidated Caches in DNSSEC Validation
Shuhan Zhang
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Network Security 2: Routing and DoS
In an era where digital security is paramount, the Domain Name System Security Extensions (DNSSEC) stands as a critical bulwark against DNS cache poisoning, a prevalent attack vector that can redirect users to malicious sites or disrupt legitimate services. However, a groundbreaking research paper presented at USENIX Security 2025, titled "Your Shield is My Sword: A Persistent Denial-of-Service Attack via the Reuse of Unvalidated Caches in DNSSEC Validation," reveals a severe vulnerability that turns this protective mechanism into a weapon for persistent denial of service. Authored by Shuhan Zhang, a PhD student at Tsinghua University, and collaborators from Tsinghua University and Dunwanun Laboratory, this work exposes how a fundamental design flaw in DNSSEC troubleshooting—specifically, the mishandling of unvalidated cache data—can lead to widespread and prolonged service outages.
AI review
Solid DNS security research that earns its place at USENIX — a genuine design-flaw exploit buried in the CD bit mechanism, with real measurement data across 29 public resolvers and empirical confirmation that 28 of them were vulnerable. The work is original, the IETF draft is a concrete downstream artifact, and the three-variant taxonomy (RU-DSAC, RU-NSIP, RU-EDNS0) is cleanly decomposed. Knocking it from 5 to 4 because the off-path path requires IP ID prediction — a dependency that narrows real-world exploitability — and the demo was conceptual rather than live.