A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification. That would make it trivial to take down, say, a public DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service.

Source: The Register