[dns-operations] BlackHat Presentation on DNSSEC Downgrade attack

Phillip Hallam-Baker hallam at gmail.com
Thu Aug 11 21:56:31 UTC 2022

Looks to me like there is a serious problem here.

NSEC record specifies what is signed but not the algorithm used to sign. DNSSEC allows multiple signature and digest algorithms on the same zone. If a zone does this, validators are prohibited from rejecting records only signed using one of the algorithms rather than both.

Won’t go into extreme detail here as researcher’s slides will be available tomorrow.

This definitely needs fixing.

One near term fix is to make SHA-1 a MUST NOT. It is long past its sell-by date now.

Get Outlook for iOS<https://aka.ms/o0ukef>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220811/05d5f018/attachment.html>

More information about the dns-operations mailing list