[dns-operations] BlackHat Presentation on DNSSEC Downgrade attack

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Aug 13 19:41:41 UTC 2022

On Sat, Aug 13, 2022 at 03:07:22PM -0400, Peter Thomassen wrote:

> On 8/11/22 17:56, Phillip Hallam-Baker wrote:
> > NSEC record specifies what is signed but not the algorithm used to
> > sign. DNSSEC allows multiple signature and digest algorithms on the
> > same zone. If a zone does this, validators are prohibited from
> > rejecting records only signed using one of the algorithms rather
> > than both.
> > ...
> > 
> > This definitely needs fixing.
> I agree that the specs should more clearly say that when a validating
> resolver sees a (supported?) algorithm in DS without seeing
> corresponding RRSIG authenticated via such DS record, the response
> MUST be bogus.

I am generally in favour of specifications being somewhat more explicit
even on "obvious" details than is at times common in IETF RFCs.
Implementors are sometimes busy, and the even the obvious may be

> Apart from that: What else needs fixing? (You mentioned something with NSEC.)

The NSEC throw-away in the slides looks spurious to me.  Sure NSEC
records don't specify which RRSIG signature algorithms accompany the
RRsets listed in the type bitmap, but this is not a compelling addition.
NSEC records only accompany denial of existence, normal responses don't
carry NSEC records.  The DS and DNSKEY RRs provide all the needed
information, the rest merely requires an implementation that avoids
unnecessary downgrade issues.


More information about the dns-operations mailing list