[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Wed Sep 12 23:01:43 UTC 2018 


> On 13 Sep 2018, at 1:00 am, Florian Weimer <fweimer at redhat.com> wrote:
> 
> On 09/12/2018 12:50 AM, Mark Andrews wrote:
>> TSIG with a well known key doesn’t require a flag day.
> 
> I'm worried that using TSIG will require a flag day eventually, just like EDNS.
> 
> The buffer size hack, combined with kernel assistance on some systems, looks much more promising, and it only requires fixing the authoritative server side, too.
> 
> Thanks,
> Florian


EDNS did not need a flag day.

TSIG with well know key definitely doesn’t need a flag day.  You can go can check
the entire Alexa top 1M servers using ISC's DNS Compliance Tool.  It added a rule
yesterday “dnswkk” that sends a TSIG “signed” message with a all zero MAC (which will
be a real MAC soon).

e.g.
	genreport -i dns -i dnswkk < list-of-zones-to-test

* most of them will report “notauth,badkey” as they currently implement TSIG.
* some will return FORMERR (this is STD13 behaviour for unexpected input).
* some will “notsig” indicating they ignored the TSIG record.
* some will timeout where the control is ok.

Once the code is written to generate and check the hmac you will see “ok” if
a server supports the WKK. 

% echo . | ./genreport -i dnswkk -i dns -o
. @192.33.4.12 (c.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:2::c (c.root-servers.net.): dns=timeout dnswkk=timeout
. @199.7.83.42 (l.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:9f::42 (l.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @199.7.91.13 (d.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:2d::d (d.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @192.203.230.10 (e.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:a8::e (e.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @192.112.36.4 (g.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:12::d0d (g.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @193.0.14.129 (k.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:7fd::1 (k.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @192.58.128.30 (j.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:503:c27::2:30 (j.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @192.36.148.17 (i.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:7fe::53 (i.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @199.9.14.201 (b.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:200::b (b.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @198.97.190.53 (h.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:500:1::53 (h.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @192.5.5.241 (f.root-servers.net.): dns=ok dnswkk=notsig
. @2001:500:2f::f (f.root-servers.net.): dns=ok dnswkk=notsig
. @202.12.27.33 (m.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @2001:dc3::35 (m.root-servers.net.): dns=ok dnswkk=notauth,badkey
. @198.41.0.4 (a.root-servers.net.): dns=ok dnswkk=formerr,notsig
. @2001:503:ba3e::2:30 (a.root-servers.net.): dns=ok dnswkk=notauth,badkey
%

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list