[dns-operations] [Ext] Re: help with a resolution

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jan 9 00:39:51 UTC 2020


On Wed, Jan 08, 2020 at 07:12:09PM -0500, Warren Kumari wrote:

> > Or more simply, when Let's Encrypt, or some cloud provider asks you to
> > publish a TXT RR in your zone to prove zone control, how sure are you
> > that's not a hash collision in disguise?
> 
> It **could** be, but I'm still failing to see how they could use this
> -- LE asks me to publish:
> 
> _acme-challenge.example.com 600 IN TXT "I_like_Cheese" in my zone, and
> I sign it.

But secretly, "I_like_Cheese" (FWIW, much too short for the current
attack) the signature of that RRset is the same as the signature of a
mutated DNSKEY RRset for "example.com".

> LE asks Bob to publish:
> _acme-challenge.example.net 600 IN TXT "I_like_Natchos" in his zone,
> and Bob signs it.

No, we can stop there that's not the attack, because that would not be
signed under the same key, BUT this raises a related issue I had not
considered, there are many hosting operators that sign multiple customer
domains under the same key.  If any one of those domains publishes a
hostile TXT RR, that RR can be used to forge records in other zones
that re-use the key!

For example, the same *****.net operated algo 7 ZSK signs ~148k
customer domains (I am a bit hesitant to publish the operator
name just at the moment).

[ I sent you an invite on Hangouts, feel free to ping off-list. ]

-- 
    Viktor.



More information about the dns-operations mailing list