[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 18 04:56:14 UTC 2021

On Wed, Aug 18, 2021 at 03:48:03AM +0000, Paul Vixie wrote:

> On Wed, Aug 18, 2021 at 07:12:32AM +1000, Mark Andrews wrote:
> > ... Everything that comes off the wire needs to be checked.
> > Occasionally some checks will be missed.
> check everything, like marka said. bounce bad stuff often. make problems
> hot, early, and fast, for implementations by fresh undamaged programmers
> who are ready to declare "works for me" and take off for their weekend.

Yes, but *where*?  Do you concur that it is the resolver's job to
check RDATA element syntax?

   - For which RRtypes?

   - Using what syntax rules?

   - Should resolvers e.g. check that "3 1 0" TLSA records hold
     a well-formed X.509 SubjectPublicKeyInfo DER octet-string?
     Or that "3 0 0" holds a well-formed X.509 certificate?

   - Should CNAMEs be valid DNS hostnames?  Or are CNAMEs in
     reverse (PTR) lookups more equal than others?  (Since they
     sometimes take special forms to encode CIDR delegations?

I'm all for better libraries (I've contributed a number of improvements
to the Haskell Network.DNS library), but I am not keen to see resolvers
doing well-meaning, but always incomplete and difficult to rely on


More information about the dns-operations mailing list