randomised and validated by different ‘patches’ to DNS. We investigate the prominent patches, and show how off-path
attackers can circumvent all of them, exposing the resolvers to cache poisoning attacks.
We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for
adoption of DNSSEC (or other MitM-secure defenses).
We then investigate vulnerabilities in DNSSEC configuration among resolvers and zones, which reduce or even nullify the
protection offered by DNSSEC. Finally we provide our recommendations and countermeasures to prevent the vulnerabilities.