[dns-operations] signing a zone with NSEC3 records.

George Barwood george.barwood at blueyonder.co.uk
Thu Sep 10 15:37:05 UTC 2009

----- Original Message ----- 
>From: "bert hubert" <bert.hubert at netherlabs.nl>
>$ dig  nosuchdomain.gov +dnssec @c.usadotgov.net
>Which weighs in at 1513 bytes of payload, and two fragments.

That might be of some interest, because it allows fragmentation attacks
that may otherwise be hard to carry out ( I think ).

A fragmentation attack needs 

(1) A large response to attack
(2) To predict the IP identifier field

( Note: the idea behind a fragmentation attack is that only the first fragment carries
  the DNS ID field and UDP port number, so other fragments are relatively easy to forge. )

Depending on the IP implementation, (2) may be trivial or require 2^16 guesses.
That is to say, if the server allocates IP identifiers on a per-destination basis,
the IP identifier is not obviously visible 
( see http://tools.ietf.org/html/draft-ietf-opsec-ip-security-01 ). 

In this case, if NXDOMAIN responses are >1500 bytes, the attacker can send a
large ( ~ 2^16 ) number of fragmentation attacks towards an open cache. It should be
able to detect when one of these succeeds - and the attacker then knows the IP 
identifier, which can then be used to continue the attack more efficiently 
( since the identifier is usually just incremented each time a packet is sent ).

The above is theoretical : I haven't actually tried to conduct such an attack.
Also, under IPv6, the IP identifier is 32 bits, which makes it harder to guess.


More information about the dns-operations mailing list