[dns-operations] BlackHat Presentation on DNSSEC Downgrade attack

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Aug 22 15:42:45 UTC 2022

On Mon, Aug 22, 2022 at 04:18:36PM +0200, Haya Shulman wrote:

> [ Further ad-hominem off-topic to this list removed ]

Please refrain from further efforts in that direction.

> in our project we evaluated two ways to downgrade DNSSEC, by disabling
> validation and by downgrading to a weaker cryptographic algorithm.

There is little evidence for, and much current practice to dispel, the
idea that DNSSEC is intended to ensure that the "strongest" mutually
supported algorithm will be used by validators of multi-algorithm signed
zones.  Failure to ensure that the strongest algorithm is used for
validation is not a bug.  Zone signers should not use weak algorithms
(nor weak parameters, e.g. 512-bit RSA keys) for signing.  If a zone is
signed with weak crypto, it is potentially vulnerable to cryptographic
attacks (more so in the case of DNSSEC from weak parameters than "weak"

> The different vulnerabilities are caused by an attempt to allow
> replacing and adding new algorithms.

No, the reported vulnerability is caused primarily by implementation
bugs and only secondarily by insufficiently prescriptive language about
the responsibilities of the validating resolver that left some of the
requirements implicit.

> Analysis of the different problems leads to one root cause: the
> current algorithm agility in DNSSEC is what allows our attacks.

DNSSEC algorithm agility is a success, and has supported multiple

    .  RSA with MD5 originally
    -> RSA with SHA1 (5)
    -> RSA with SHA1 and NSEC3 (7)
    -> more recently, RSA with SHA256 (8) or ECDSA P256 (13)
    ... in a few years time ...
    -> EdDSA 25519 (15)

DNSSEC allows the validator to employ a mutually supported algorithm to
validate the signed zone, and, when implemented correctly, does so
without downgrade opportunities to "Insecure".  Bug reports on
implementations that fail to avoid downgrade to "Insecure" are always
appreciated (my thanks to Nils for one such report).

> [RFC7696] says "Algorithm agility is achieved when a protocol
> can easily migrate from one algorithm suite to another more desirable
> one, over time." - The ability to migrate from one algorithm suite to
> another in the current implementations is what exposes DNSSEC to our
> attacks.

This is not correct, as evidenced by implementations that are not
vulnerable to the reported downgrades to "Insecure".  "Downgrades" to
the weaker of two signing algorithms are a "feature not a bug".


More information about the dns-operations mailing list