[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Sat Sep 15 21:59:16 UTC 2018 

Dnswkk is just a test using the suggested well known tsig key. 

Name “.”
Algorithm: hmac-sha256
Key: 256 zero bits (32 zero bytes) 

Hmac-sha256 was chosen because it  is almost certainly already by the name server already or the libraries it is using and avoids having to argue about using hoax-md5 or hmac-sha1 even though both of those would be fine and pose no risk at all.

Yes you can get a “ok” if you were to configure a server with this key and have your clock correct. Use the master branch. 

CC’d dns-operations to save you asking there. The test only knows one key though the code could be made more general. 

Even if the TSIG well known key doesn’t get through this still is testing TSIG implementations and finding lots of bugs both in the TSIG code, TSIG specification, and other other areas implementation and specification. 

STD under specifies how to generate a FORMERR. You don’t just echo the request back with the rcode set to FORMERR. Why anyone one would think it is sane to send bits you don’t understand in a reply I don’t know when you can just send a DNS header. 

The same goes for echoing back a unknown EDNS option by Microsoft’s servers.  We fixed the RFC then they shipped code that does that or that’s how it appears. 

-- 
Mark Andrews

> On 15 Sep 2018, at 23:44, A. Schulze <sca at andreasschulze.de> wrote:
> 
> 
> 
>> Am 13.09.18 um 01:01 schrieb Mark Andrews:
>>    genreport -i dns -i dnswkk < list-of-zones-to-test
>> 
>> * most of them will report “notauth,badkey” as they currently implement TSIG.
>> * some will return FORMERR (this is STD13 behaviour for unexpected input).
>> * some will “notsig” indicating they ignored the TSIG record.
>> * some will timeout where the control is ok.
>> 
>> Once the code is written to generate and check the hmac you will see “ok” if
>> a server supports the WKK. 
>> 
>> % echo . | ./genreport -i dnswkk -i dns -o
>> . @192.33.4.12 (c.root-servers.net.): dns=ok dnswkk=notauth,badkey
> ...
> 
> Hello Mark,
> 
> I noticed your suggestion to provide a well-known TSIG key.
> To understand more about the reasons, benefits and potential problems
> I cloned https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/ and use the
> 12-add-dummy-well-known-tsig-key-test branch.
> 
> Now I've some questions:
> - definition: what is "dnswkk"
> - could you name a server the work well, aka generate a "dnswkk=ok"
> - is this something I should better ask on dns-operation list?
> 
> I attend the DNS-OARC workshop in Amsterdam next month and I hope this will be a topic there.
> [beside the hopefully successful KSK-roll :-)]
> 
> Thanks,
> Andreas

More information about the dns-operations mailing list