[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Mark Andrews marka at isc.org
Sun Jan 14 23:46:11 UTC 2018

NSEC3 records for ENT only need to exist for parent domains of records that
provably exist in a NSEC3 zone.  Insecure delegations do not, by default, provably
exist when OPTOUT is in use.

dnssec-signzone adds NSEC3 records for ENT when there is a child domain that
provably exists.

Note: there is no mechanism in dnssec-signzone to say add a NSEC3 record for this
insecure delegation despite that being permitted by NSEC3. 


> On 15 Jan 2018, at 6:28 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> On Jan 14, 2018, at 11:53 AM, Florian Weimer <fweimer at redhat.com> wrote:
>>> "Forged Delegation Injection into Empty Non-Terminal with NSEC3"
>>> http://www.e-ontap.com/dns/entpoison.html
>>> Is the NSEC3 proofing what?
>> Isn't this just the expected result of using NSEC3 opt-out?
> That's largely my reaction also.  Indeed opt-out should not be
> used at all in zones such as the one used in the example.  The
> use-case for opt-out is delegation-only zones (such as .com) where
> most of the delegations are unsigned.
> Names left out of the NSEC3 chain have insecure denial of existence
> (both NXDOMAIN and NODATA).
> So the key question is whether the "gov.example" ENT in the example
> is or is not part of the zone's NSEC3 chain. If one fails to include
> the ENT in the NSEC3 chain, then the ENT is subject to forged NS
> record injection.
> Based on Erratum "3441" to RFC5155, one might indeed leave the ENT
> out of the NSEC3 chain, resulting in the reported exposure of the
> ENT to NS record forgery.  If the sole purpose of the ENT is
> insecure delegation of sub-domains of that ENT, then it is not
> clear why one would care that the ENT is subject to NS record
> forgery is the same is true of all the child records.
> -- 
> 	Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list