A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine. Yes, a single DNS packet can take out a remote DNSSEC server.

Source: The Register