[dns-operations] signing a zone with NSEC3 records.
george.barwood at blueyonder.co.uk
Thu Sep 10 15:37:05 UTC 2009
----- Original Message -----
>From: "bert hubert" <bert.hubert at netherlabs.nl>
>$ dig nosuchdomain.gov +dnssec @c.usadotgov.net
>Which weighs in at 1513 bytes of payload, and two fragments.
That might be of some interest, because it allows fragmentation attacks
that may otherwise be hard to carry out ( I think ).
A fragmentation attack needs
(1) A large response to attack
(2) To predict the IP identifier field
( Note: the idea behind a fragmentation attack is that only the first fragment carries
the DNS ID field and UDP port number, so other fragments are relatively easy to forge. )
Depending on the IP implementation, (2) may be trivial or require 2^16 guesses.
That is to say, if the server allocates IP identifiers on a per-destination basis,
the IP identifier is not obviously visible
( see http://tools.ietf.org/html/draft-ietf-opsec-ip-security-01 ).
In this case, if NXDOMAIN responses are >1500 bytes, the attacker can send a
large ( ~ 2^16 ) number of fragmentation attacks towards an open cache. It should be
able to detect when one of these succeeds - and the attacker then knows the IP
identifier, which can then be used to continue the attack more efficiently
( since the identifier is usually just incremented each time a packet is sent ).
The above is theoretical : I haven't actually tried to conduct such an attack.
Also, under IPv6, the IP identifier is 32 bits, which makes it harder to guess.
More information about the dns-operations