[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Tue Sep 11 22:50:24 UTC 2018



> On 12 Sep 2018, at 7:26 am, Paul Vixie <paul at redbarn.org> wrote:
> 
> 
> 
> Viktor Dukhovni wrote:
> ...
>> 
>> My domain has both DNSSEC and a CAA record that matches none of the
>> public CAs, it'd be interesting to find out whether this is sufficient
>> to help all of them to avoid issuing an unauthorized certificate.
>> 
> 
> i think what's interesting about this latest rendition of the fragmentation attack (first told to me by florian in 2008 or so, and independently rediscovered several times since then) is not that a proof of concept was able to get someone to make a certificate for the attacker using the victim's identity because dnssec was relied upon for transaction authenticity.
> 
> rather, it's that dnssec cannot be relied upon, after all. must we use TSIG or TCP in order to actually trust the results of a dnssec lookup? if so, then we're 23+ years into the securedns effort, and still nothing to show for it except cost, complexity, and unreliability; and we'll have to have another flag day after two more years of development. if this is so, then the first thing we ought to do is, stop the KSK roll, and the second thing we ought to do is, remove dnssec from the root zone until a more secure design is available.

TSIG with a well known key doesn’t require a flag day.

TSIG aware servers will return BADKEY if not configured with the WKK.  You still have to match qid and port in a response that should not get fragmented. 
A STD13 server will ignore the TSIG or return FORMERR (similar to EDNS introduction). EDNS servers are in the high 90’s and many of the non EDNS server just ignore the OPT record.

It wouldn’t be to difficult to add a WKK test to the DNS compliance test rig and measure what the behaviour is.

DNS COOKIE also helps.

We could also just say use IPv6 as that has a 32 bit fragment ID space and a minimum fragmentation size of 1280 octets.  Perhaps we could stop running IPv4 name server instances.  BIND favours IPv6 servers in its RTT comparisons.

Mark

> -- 
> P Vixie
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list