fl1ger / deleg

Extensible Delegation for DNS
Other
9 stars 14 forks source link

Potential DELEG-only NXDOMAIN replay attack. #20

Open RoyArends opened 1 year ago

RoyArends commented 1 year ago

This is minor, but just wanted to put it out there.

When only a DELEG and Authenticated Denial record exist at a delegation point, and no NS and DS, then a referral response can be replayed as an NXDOMAIN response to legacy validators. However, legacy resolvers can't use this referral anyway, due to the absence of NS records. Ergo, it is highly unlikely that NS records will ever go away.

bemasc commented 10 months ago

This does create an interesting wrinkle: when you receive a DELEG response, it's not enough to confirm that it has a valid DNSSEC signature that chains to the root. It must specifically have the parent's signature. The child could also produce signed DELEG records, but these are not valid. In particular, an attacker could replay a signed NODATA response from the child to disable DELEG resolution, and the resolver must be able to reject this because its RRSIG comes from the child side.

RoyArends commented 10 months ago

For DS, this is addressed in RFC6840 Section 4.1

I know it is not the exact same issue. I think if we just specify that the signer field MUST be shorter than the owner name of the DELEG RR, we're there.

pspacek commented 4 months ago

I agree, this is a known problem in the existing DNS protocol and the same solutions can be applied here. Again, this should apply to all new parent-side types (https://www.ietf.org/archive/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt)