[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Fri Sep 14 00:25:47 UTC 2018

And over all the TLD servers.

dns=ok dnswkk=formerr,notsig
dns=ok dnswkk=malformed
dns=ok dnswkk=notauth,badkey
dns=ok dnswkk=notauth,notsig
dns=ok dnswkk=notsig
dns=ok dnswkk=refused
dns=ok dnswkk=servfail,notsig
dns=ok dnswkk=timeout
dns=ok dnswkk=tsig-bad-class,tsig-wrong-alg,tsig-badtime,notauth,badkey
dns=ok dnswkk=tsig-bad-old-id,notauth,badkey
dns=ok dnswkk=tsig-badtime,notauth,badkey
dns=refused dnswkk=notauth,badkey
dns=servfail dnswkk=notauth,badkey
dns=servfail dnswkk=tsig-wrong-alg,notauth,badkey

of which these are definite miss implementations of TSIG

dns=ok dnswkk=malformed (failed to parse the response, will need to investigate further)
dns=ok dnswkk=notauth,notsig (set rcode to NOTAUTH but failed to send a TSIG record)
dns=ok dnswkk=timeout (stupid firewall probably)
dns=ok dnswkk=tsig-bad-class,tsig-wrong-alg,tsig-badtime,notauth,badkey (bad class field)

And these are in the grey area

dns=ok dnswkk=tsig-bad-old-id,notauth,badkey (old-id not set correctly, behind a proxy with a seperate id space?)
dns=ok dnswkk=tsig-badtime,notauth,badkey (bad clock?)
dns=servfail dnswkk=tsig-wrong-alg,notauth,badkey (request algorithm not set in reply)

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list