[dns-operations] [dnsext] BlackHat Presentation on DNSSEC Downgrade attack

Donald Eastlake d3e3e3 at gmail.com
Thu Aug 11 22:41:23 UTC 2022

Maybe I'm confused but I don't see that there is any problem with NSEC. If
a resolver believes in a broken algorithm, of course you are screwed. Say
BK is such a broken algorithm. Assume you go to the work of specifying an
using NSECbis that specifies the signing algorithm(s). If BK is broken, the
attacker can just forge new NSECbis RRs signed by BK that specify BK as the
signing algorithm. It is the resolver's believe in BK that is the problem.

So say a zone is signed by the zone owner with both BK and a strong
algorithm denoted STRONG. As long as a resolver only trusts STRONG
signatures I don't see how the status of what NSECs say is signed can cause
forged data to be trusted.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3 at gmail.com

On Thu, Aug 11, 2022 at 5:56 PM Phillip Hallam-Baker <hallam at gmail.com>

> Looks to me like there is a serious problem here.
> NSEC record specifies what is signed but not the algorithm used to sign.
> DNSSEC allows multiple signature and digest algorithms on the same zone. If
> a zone does this, validators are prohibited from rejecting records only
> signed using one of the algorithms rather than both.
> Won’t go into extreme detail here as researcher’s slides will be available
> tomorrow.
> This definitely needs fixing.
> One near term fix is to make SHA-1 a MUST NOT. It is long past its sell-by
> date now.
> Get Outlook for iOS <https://aka.ms/o0ukef>
> _______________________________________________
> dnsext mailing list
> dnsext at ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220811/5a8980a4/attachment.html>

More information about the dns-operations mailing list