@techreport{li-dnsop-ecs-aggregation-fix-02, number = {draft-li-dnsop-ecs-aggregation-fix-02}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-li-dnsop-ecs-aggregation-fix/02/}, author = {Xiang Li and Yuqi Qiu}, title = {{Strengthening DNS Query Aggregation against ECS-based Attacks}}, pagetotal = 14, year = 2026, month = jun, day = 28, abstract = {The DNS query aggregation mechanism is a critical defense against DNS cache poisoning attacks that exploit the "Birthday Paradox". However, recent research has revealed that flawed implementations of the EDNS Client Subnet (ECS) option, as specified in RFC 7871, can be exploited to bypass this defense. This allows attackers to force a resolver to issue multiple simultaneous queries for the same domain name by crafting queries with different ECS options. This vulnerability revives the classic DNS Birthday Attack, posing a significant threat to DNS resolvers and the clients they serve. Section 11.2 of RFC 7871 notes the general risk of Birthday Attacks and suggests marking whether responding nameservers send ECS options, but it does not define a concrete mechanism. This document turns that observation into a specified processing model for the ECS option in DNS resolvers. A resolver tracks, per zone, whether the authoritative servers use ECS: a "no-ECS-support" state forces query aggregation for zones that do not use ECS, and an "ECS-support" state lets a resolver treat an unexpected response without an ECS option (or one with a zero scope) as suspect for zones that do, such as content delivery networks. The document also describes how a resolver bounds the residual risk with a limit on simultaneous outstanding queries. It is offered as input that the working group could fold into a future revision of RFC 7871.}, }