[dns-operations] DNS cookie bugs

Warren Kumari warren at kumari.net
Fri Dec 8 15:03:51 UTC 2017 

On Fri, Dec 8, 2017 at 7:15 AM, Tony Finch <dot at dotat.at> wrote:
> Mark Andrews <marka at isc.org> wrote:
>>
>> I really don’t understand how a DNS developer could decide that it was
>> sensible to echo back data that the server does not understand.  Most of
>> the servers that do this appeared on the net *after* RCF 6891 was
>> published.  See: http://ednscomp.isc.org/compliance/ts/gov.optfail.html
>
> This one is a different kind of weirdness. The garbage in the server
> cookie varies a bit depending on the type but otherwise seems to be almost
> always the same.

Oooooh, fascinating.

I get variations on:
Client: 0000000000000000
Server: 0000000000000000ffffffffffffffff0000000000000000 (good)

Client: 0000000000000000
Server: 000000000000000000000000000000000000000000000000 (good)

Client: 0000000000000000
Server: 000000000000000030cebe4a2a00000030cebe4a2a000000 (good)

Client: 0000000000000001
Server: 000000000000000030cebe4a2a00000030cebe4a2a000000 (bad)

Client: 0000000000000002
Server: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)

Client: 0000000000000003
Server: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)

Client: 0000000000000004
Server: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)

 Client: ffffffffffffffff
Server: 000000000000000030cebe4a2a00000030cebe4a2a000000 (bad)

The first octet of the server part of the cookie seems to change, but
in my (very limited!) testing, if the cookie isn't all 0x00, or
0x00..ff..00  the 0xcebe4a string always seems to show up.
The client cookie doesn't seem to influence the server one in any way.

If I run this for a while I get:
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000000000000000000000000000000000000 (bad)
; COOKIE: 000000000000000000000000000000000000000000000000 (bad)
; COOKIE: 000000000000000000000000000000000000000000000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)
; COOKIE: 000000000000000000000000000000000000000000000000 (bad)
; COOKIE: 000000000000000000000000000000000000000000000000 (bad)
; COOKIE: 000000000000000060c9ce4a2a00000060c9ce4a2a000000 (bad)

with ~91% of the cookies being 0xc9ce4a2a flavored and 9% being
tasteless (0x00...)

As you can guess, I'm desperately trying to avoid doing real work
today -- this has been a fun distraction, now it's time to go tidy my
desk...
W


>
> ; <<>> DiG 9.12.0rc1 <<>> +qr +multi +norec www.europarl.europa.eu aaaa @136.173.159.209
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8516
> ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 73f12a825df4386c
> ;; QUESTION SECTION:
> ;www.europarl.europa.eu.        IN AAAA
>
> ;; QUERY SIZE: 63
>
> ;; Warning: Client COOKIE mismatch
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8516
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 000000000000000030cebe4a2a00000030cebe4a2a000000 (bad)
> ;; QUESTION SECTION:
> ;www.europarl.europa.eu.        IN AAAA
>
> ;; AUTHORITY SECTION:
> europarl.europa.eu.     3600 IN SOA presluxsdnsout.europarl.europa.eu. dnsadmin.europarl.europa.eu. (
>                                 2017120500 ; serial
>                                 3600       ; refresh (1 hour)
>                                 3600       ; retry (1 hour)
>                                 86400      ; expire (1 day)
>                                 3600       ; minimum (1 hour)
>                                 )
>
> ;; Query time: 19 msec
> ;; SERVER: 136.173.159.209#53(136.173.159.209)
> ;; WHEN: Fri Dec 08 12:10:44 GMT 2017
> ;; MSG SIZE  rcvd: 139
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Fair Isle, East Faeroes: Northerly 7 to severe gale 9, occasionally storm 10
> at first. High or very high. Squally snow showers. Moderate, occasionally very
> poor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the dns-operations mailing list