Trust anchors cannot be updated

[code423n4]

Lines of code

https://github.com/code-423n4/2023-04-ens/blob/45ea10bacb2a398e14d711fe28d1738271cd7640/contracts/dnssec-oracle/DNSSECImpl.sol#L52-L56

Vulnerability details

Impact

It will not be possible to claim names, because ENS will not be able to verify DNSSEC records after a root key rollover.

Proof of Concept

The DNSSEC root key signing keys act as trust anchors for the entire system. If they are invalid DNSSEC records verification will fail. They are set only in the constructor of DNSSECImpl.sol:

constructor(bytes memory _anchors) {
    // Insert the 'trust anchors' - the key hashes that start the chain
    // of trust for all other records.
    anchors = _anchors;
}

It is assumed that the root key is correctly entered on deployment. However, there is currently no way to update these after deployment. (Note also that DNSSECImpl is immutable in DNSRegistrar.sol and in OffchainDNSResolver.sol.)

The root keys are rarely replaced, but it does happen. A new key was generated on 27 April 2023 which is planned to be pre-published in Jan 2024 after which a rollover will take place two years thereafter. After this ENS will no longer have a valid root key and will be unable to verify DNSSEC records.

Recommended Mitigation Steps

Add an owner only setter of anchors.

[c4-pre-sort]

thereksfour marked the issue as primary issue

[c4-pre-sort]

thereksfour marked the issue as duplicate of #75

[c4-judge]

dmvt changed the severity to 2 (Med Risk)

[c4-judge]

dmvt marked the issue as unsatisfactory: Invalid