[dns-operations] Forged Delegation Injection into Empty Non-Terminal with NSEC3

Mark Andrews marka at isc.org
Wed Jan 17 06:51:47 UTC 2018 

RFC 5155 has the concept of: 

Closest provable encloser:  the longest ancestor of a name that can
      be proven to exist.  Note that this is only different from the
      closest encloser in an Opt-Out zone.

You are supposed to be able to add/remove insecure delegations from a NSEC3 zone
using OPTOUT without updating the NSEC3 chain.

In your example (which was very under specified) ex.gov.example does not have a DS
record so it does not provably exist (or not exist) as it is in a NSEC3 OPTOUT
range.  The same applies to gov.example.

The closest provable encloser is example (the only name that provably exists in
your test zone).

As for gov.ac I can’t tell if this is a correct response as I don’t know if
there is a secure delegation under gov.ac or not.  The NSEC3 chain presented
says that there isn’t one as the hash falls between 0fu4q5os8p4qbh56hj8ifvi835ql9qin
and 0VRQ99T0JHERJC9279H8TFCDBP5KG21H. The closest provable encloser is ac.

Mark

[rock:~/git/bind9] marka% dig ds gov.ac +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.13.0-dev+hotspot+add-prefetch+marka <<>> ds gov.ac +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56511
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9a49ec2865b49a281ac6ed8e5a5eec55b23c49dc958f74ad (good)
;; QUESTION SECTION:
;gov.ac.				IN	DS

;; AUTHORITY SECTION:
ac.			894	IN	SOA	a0.nic.ac. noc.afilias-nst.info. 1497206750 10800 3600 2764800 900
ac.			894	IN	RRSIG	SOA 8 1 86400 20180207062135 20180117052135 47590 ac. JUPhqQ5Y74NIkqJ1tYOPpjVMfEF9AsAm0b46X92eKuOINl1PWuM+tV/R dGwORSPVX1k5SUquoXpSjle7zNO5UycyVCe503GCbV3hIbLsrgShdFTq 9b3LuqRM1dqiXuo8V6lLAwI2h9ZZCxdgO+nPo9SULuRLFUB3SwV89Ud0 tfg=
0fu4q5os8p4qbh56hj8ifvi835ql9qin.ac. 894 IN RRSIG NSEC3 8 2 900 20180206022423 20180116012423 47590 ac. Hufc6CqBP4ksdks4P2FCB7wliuGzyavoshrFj52Ji7ZRuWF1mTipHaO2 Hzni4vv/MrzVr/4PESr6R/N//mPlcbm/7DmyOfLPTIDwFQj/56+Qdswr olL45pVibjKwOvF4WBXD5dIAxd4l313NHOxT58zpK2caekEyHx6ltHjz lUo=
0fu4q5os8p4qbh56hj8ifvi835ql9qin.ac. 894 IN NSEC3 1 1 1 D399EAAB 0VRQ99T0JHERJC9279H8TFCDBP5KG21H  NS DS RRSIG
psdmd2tob59cu5phsqmpvkndffq25pgt.ac. 894 IN RRSIG NSEC3 8 2 900 20180207062135 20180117052135 47590 ac. aZcdX668L/UIlRsZ1yOjkxpzM5sp9LX1B3TSOiUHPEvsCgetAN6zpGkp elEwuyUMfullvelPM5itm3wzt9QD/TnHzdMy/V12ahbAgQvhLIrJrX3g ebaOQ7Kn2G3BIB37jQiLsL9Bg1hcK6hWPKZlEMDUi3LLvN/P69MkQTk0 R2I=
psdmd2tob59cu5phsqmpvkndffq25pgt.ac. 894 IN NSEC3 1 1 1 D399EAAB Q1HNPEF2REI2EH77GTNLDDRDLOQH9HT6  NS SOA RRSIG DNSKEY NSEC3PARAM

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 17 17:25:25 AEDT 2018
;; MSG SIZE  rcvd: 781


[rock:~/git/bind9] marka% nsec3hash -r 1 1 1 D399EAAB gov.ac
gov.ac NSEC3 1 1 1 D399EAAB 0SQ5NGS0D6LF9TU3LNBSP53E1HOVJLV9
[rock:~/git/bind9] marka% nsec3hash -r 1 1 1 D399EAAB ac
ac NSEC3 1 1 1 D399EAAB PSDMD2TOB59CU5PHSQMPVKNDFFQ25PGT
[rock:~/git/bind9] marka% 



> On 17 Jan 2018, at 5:04 pm, T.Suzuki <tss at reflection.co.jp> wrote:
> 
> On Mon, 15 Jan 2018 10:46:11 +1100
> Mark Andrews <marka at isc.org> wrote:
> 
>> NSEC3 records for ENT only need to exist for parent domains of records that
>> provably exist in a NSEC3 zone.  Insecure delegations do not, by default, provably
>> exist when OPTOUT is in use.
>> 
>> dnssec-signzone adds NSEC3 records for ENT when there is a child domain that
>> provably exists.
>> 
>> Note: there is no mechanism in dnssec-signzone to say add a NSEC3 record for this
>> insecure delegation despite that being permitted by NSEC3. 
>> 
>> Mark
> 
> I can not understand. What is "provably" ? Where should I read in RFC.
> <foobar>.gov.example is the name in the example zone.
> And there is the ex.gov.example zone bellow example zone.
> 
> One more,
> How gov.ac is?
> 
> % dig gov.ac @8.8.8.8 +nocd
> 
> ; <<>> DiG 9.9.5 <<>> gov.ac @8.8.8.8 +nocd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26753
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;gov.ac.			IN A
> 
> ;; Query time: 195 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jan 17 15:03:36 JST 2018
> ;; MSG SIZE  rcvd: 35
> 
> % dig gov.ac @8.8.8.8 +cd
> 
> ; <<>> DiG 9.9.5 <<>> gov.ac @8.8.8.8 +cd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52425
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;gov.ac.			IN A
> 
> ;; AUTHORITY SECTION:
> ac.			899 IN SOA a0.nic.ac. noc.afilias-nst.info. (
> 				1497206749 ; serial
> 				10800      ; refresh (3 hours)
> 				3600       ; retry (1 hour)
> 				2764800    ; expire (4 weeks 4 days)
> 				900        ; minimum (15 minutes)
> 				)
> 
> ;; Query time: 328 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jan 17 15:03:54 JST 2018
> ;; MSG SIZE  rcvd: 98
> 
> -- 
> ------------------------------------------------------------------------------
> T.Suzuki 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list