Tsunehiko Suzuki, 2018/01/12
; RFC 5155 Appendix A. Example Zone and optional records for ENT example. IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600 example. IN NS ns1.example. ns1.example. IN A 192.168.11.1 example. IN MX 1 xx.example. ; for making empty non-terminal "gov.example" ex.gov.example. IN NS ns.ex.gov.example. ns.ex.gov.example. IN A 192.168.11.21with opt-out NSEC3 sign
<random>.gov.example. IN A
Flag: AA=0 Authority Section: gov.example. IN NS ns.poison.nom. ; (forged delegation)
BIND + ldns-signzone | BIND + dnssec-signzone | NSD + ldns-signzone | NSD + dnssec-signzone | |
---|---|---|---|---|
BIND + nxdomain.ENT | NXDOMAIN | NXDOMAIN | NXDOMAIN | SERVFAIL *1 (NXDOMAIN with +cd) |
BIND + NS_of_ENT | NODATA | NODATA | NODATA | NODATA |
BIND + attack | SERVFAIL *2 (poisoned with +cd) | POISONED | SERVFAIL *2 (poisoned with +cd) | SERVFAIL *2 (poisoned with +cd) |
Unbound + nxdomain.ENT | NXDOMAIN | NXDOMAIN | NXDOMAIN | SERVFAIL *1 (NXDOMAIN with -o CD) |
Unbound + NS_of_ENT | NODATA | NODATA | NODATA | NODATA |
Unbound + attack | N/A | POISONED | N/A | N/A |
nxdomain.ENT = `dig -t a foobar.gov.example.`
NS_of_ENT = `dig -t ns gov.example.`
*1 : Inspite of the presentation at OARC25, NSD looks like being broken. You can try SERVFAIL with 'NSD + ENT + opt-out + dnssec-signzone' by `dig foobar.gov.mufj.jp @8.8.8.8 +nocd +dnssec`. ("Gov.mufj.jp" is ENT. There is insecure "sub.gov.mufj.jp" zone.)
*2 : After attack, poisoned cache can be seen with `dig +cd`.
POISONED result
# dig a ns.ex.gov.example ; <<>> DiG 9.11.2 <<>> a ns.ex.gov.example ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64666 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ca9abd03a0e3723cb190f4255a51f34843c7d1f72b3ed00d (good) ;; QUESTION SECTION: ;ns.ex.gov.example. IN A ;; ANSWER SECTION: ns.ex.gov.example. 1800 IN A 127.0.0.1 ;; AUTHORITY SECTION: gov.example. 48362 IN NS ns.poison.nom. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jan 07 19:15:36 JST 2018 ;; MSG SIZE rcvd: 119
Is the NSEC3 proofing what?
Content Server | BIND 9.11.2 | NSD 4.1.12 |
---|---|---|
Cache Server | BIND 9.11.2 | Unbound 1.5.10 |
sign tool | dnssec-signzone 9.11.2 | ldns-signzone 1.6.17 |