[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3
Mark Andrews
marka at isc.org
Sun Jan 14 23:46:11 UTC 2018
NSEC3 records for ENT only need to exist for parent domains of records that
provably exist in a NSEC3 zone. Insecure delegations do not, by default, provably
exist when OPTOUT is in use.
dnssec-signzone adds NSEC3 records for ENT when there is a child domain that
provably exists.
Note: there is no mechanism in dnssec-signzone to say add a NSEC3 record for this
insecure delegation despite that being permitted by NSEC3.
Mark
> On 15 Jan 2018, at 6:28 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
>
>> On Jan 14, 2018, at 11:53 AM, Florian Weimer <fweimer at redhat.com> wrote:
>>
>>> "Forged Delegation Injection into Empty Non-Terminal with NSEC3"
>>> http://www.e-ontap.com/dns/entpoison.html
>>> Is the NSEC3 proofing what?
>>
>> Isn't this just the expected result of using NSEC3 opt-out?
>
> That's largely my reaction also. Indeed opt-out should not be
> used at all in zones such as the one used in the example. The
> use-case for opt-out is delegation-only zones (such as .com) where
> most of the delegations are unsigned.
>
> Names left out of the NSEC3 chain have insecure denial of existence
> (both NXDOMAIN and NODATA).
>
> So the key question is whether the "gov.example" ENT in the example
> is or is not part of the zone's NSEC3 chain. If one fails to include
> the ENT in the NSEC3 chain, then the ENT is subject to forged NS
> record injection.
>
> Based on Erratum "3441" to RFC5155, one might indeed leave the ENT
> out of the NSEC3 chain, resulting in the reported exposure of the
> ENT to NS record forgery. If the sole purpose of the ENT is
> insecure delegation of sub-domains of that ENT, then it is not
> clear why one would care that the ENT is subject to NS record
> forgery is the same is true of all the child records.
>
> --
> Viktor.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list