[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Jan 14 19:28:53 UTC 2018

> On Jan 14, 2018, at 11:53 AM, Florian Weimer <fweimer at redhat.com> wrote:
>> "Forged Delegation Injection into Empty Non-Terminal with NSEC3"
>> http://www.e-ontap.com/dns/entpoison.html
>> Is the NSEC3 proofing what?
> Isn't this just the expected result of using NSEC3 opt-out?

That's largely my reaction also.  Indeed opt-out should not be
used at all in zones such as the one used in the example.  The
use-case for opt-out is delegation-only zones (such as .com) where
most of the delegations are unsigned.

Names left out of the NSEC3 chain have insecure denial of existence

So the key question is whether the "gov.example" ENT in the example
is or is not part of the zone's NSEC3 chain. If one fails to include
the ENT in the NSEC3 chain, then the ENT is subject to forged NS
record injection.

Based on Erratum "3441" to RFC5155, one might indeed leave the ENT
out of the NSEC3 chain, resulting in the reported exposure of the
ENT to NS record forgery.  If the sole purpose of the ENT is
insecure delegation of sub-domains of that ENT, then it is not
clear why one would care that the ENT is subject to NS record
forgery is the same is true of all the child records.


More information about the dns-operations mailing list