Trust anchors are specified during deployment of the DNS oracle and no functionality is provided to add, update or deactivate trust anchors.
If the DNS root server keys are changed for whatever reason (planned roll over, new keys added or compromised) there is no other way to update the DNS oracle than to deploy a new one and change the ENS registry (if this functionality will be provided in the new DNS registrar, which is unclear as it out of scope).
Proof of Concept
NA
Tools Used
NA
Recommended Mitigation Steps
Add functionality to remove and add trust anchors when needed.
If this is by design the anchors can be set to immutable.
Lines of code
https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/dnssec-oracle/DNSSECImpl.sol#L49
Vulnerability details
Impact
Trust anchors are specified during deployment of the DNS oracle and no functionality is provided to add, update or deactivate trust anchors. If the DNS root server keys are changed for whatever reason (planned roll over, new keys added or compromised) there is no other way to update the DNS oracle than to deploy a new one and change the ENS registry (if this functionality will be provided in the new DNS registrar, which is unclear as it out of scope).
Proof of Concept
NA
Tools Used
NA
Recommended Mitigation Steps
Add functionality to remove and add trust anchors when needed. If this is by design the
anchors
can be set to immutable.