[dns-operations] Opened Pandora's box of Cache Poisoning

Daisuke Kotani daisuke at kotachi.com
Sat May 3 16:43:06 UTC 2014

Hi Hauke,

One thing that should be noted in the "Additional Page" is that the jp. 
name servers directly delegate example.ac.jp to the authoritative 
servers of it, and no RR of QNAME "ac.jp."

DNSSEC does not sign NS RRs for delegation (See RFC4035 Sec.2.2),
therefore DNSSEC cannot verify the integrity of delegation.
(I think it is easy to imagine what happens in this situation)

(2014/05/03 21:36), Hauke Lampe wrote:
> Hello Tsunehiko
> On 03.05.2014 08:40, T.Suzuki wrote:
>> Additional page:
>> http://www.e-ontap.com/dns/pandora_acjp_e/
>>From the information on your site, I surmise you managed to poison the
> cache of a BIND 9.9.2-P2 resolver. Can you disclose by which method you
> injected the fake NS rrsets? Was DNSSEC validation disabled?
> For a randomly chosen unsigned zone in ac.jp, I see named sending these
> queries in the process:
> To .             A? www.u-tokyo.ac.jp.
> To jp.           A? www.u-tokyo.ac.jp. (x)
> To u-tokyo.ac.jp A? www.u-tokyo.ac.jp.
> To .             DS? jp.
> To .             DS? ac.jp.
> To jp.           DS? ac.jp. (+)
> To jp.           DNSKEY? jp.
> To jp.           DS? u-tokyo.ac.jp.
> If I understand you correctly, you successfully spoofed the response to
> the second query (x), and instead of the original direct delegation
> installed a fake NS rrset for ac.jp in the cache, redirecting the next
> query to your own nameserver.
> If DNSSEC validation is active, the DS query for ac.jp (+) would
> probably break the chain as it proves the absence of the delegation.
> Does that sound about right or did I miss some crucial details? (I'm
> really just a DNS operator, not a computer scientist. ;)
> Hauke.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Daisuke Kotani <daisuke at kotachi.com>

More information about the dns-operations mailing list