Shumon and all, On 18/07/2023 21.41, Shumon Huque wrote:
On Tue, Jul 18, 2023 at 3:29 PM Viktor Dukhovni <[email protected] <mailto:[email protected]>> wrote: Yes, I agree. A resolver can't really tell that a response with an expired signature wasn't an attacker trying to replay old data. For robustness against attacks, it must re-query other available other servers if they exist.
I kind of think that a resolver using UDP should just drop a response on the floor if it has an expired signature. Otherwise an attacker can induce behavior change by spoofing replies, which is itself a security problem (in this case, blocking with a response that would arrive later and work, effectively removing a name server from the set of name servers queried for a given lookup).
This idea mostly applies to UDP without DNS cookies since it is the only transport easily vulnerable to spoofing. With other transports you are much more sure that the answer actually came from the server you are querying, and so you can be confident that the server is giving out bogus answers. (TCP is vulnerable to BGP hijacking and the like, but in that case you would still expect to get bogus answers for subsequent queries to the same server.)
Unfortunately I don't think any resolvers hold onto a UDP query until after the DNSSEC validation. So there is not really much option other than to try again. 🤓
Cheers, -- Shane
OpenPGP_0x3732979CF967B306.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
