> On 8 May 2025, at 03:13, Paul Wouters <[email protected]> wrote: > > On Wed, 7 May 2025, 张淑涵 wrote: > >> It’s my honor to share our recently submitted draft titled “Handling >> Unvalidated Data during DNSSEC Troubleshooting” >> (draft-zhang-dnsop-dnssec-unvalidated-data-00). >> Draft link: >> https://datatracker.ietf.org/doc/draft-zhang-dnsop-dnssec-unvalidated-data/ >> Given the design complexity and the prevalence of misconfigurations of >> DNSSEC, many DNS resolvers support troubleshooting mechanisms by the public, >> during which the >> received DNS data are not enforced to be validated. However, as this draft >> demonstrated, this could open a new attack surface, where attackers can >> abuse the >> troubleshooting mechanism to inject forged data to the resolver’s cache, and >> trigger persistent domain resolution failure due to the reuse of the cached >> unvalidated >> data. To mitigate such risk, this draft proposes recommendations for >> DNSSEC-validating resolvers on how to cache and reuse DNS data introduced >> during DNSSEC >> troubleshooting. This draft indicates that the data intended for >> troubleshooting can have severe but overlooked impact on the routine >> functioning of DNS. Hence, it >> aims to raise the community’s awareness on handling DNSSEC troubleshooting >> data with more cautious, so as to prevent any potential abuse. > > I think DNS resolvers are already handling this properly? > > paul@bofh:~$ dig +cd +short dnssec-failed.org 96.99.227.255 > paul@bofh:~$ dig +short dnssec-failed.org paul@bofh:~$
When all the source are broken your test works. Try daisy chaining servers which always send CD=1 (current advice). Have 2 sets of servers for the zone, some with good answers and some with broken answers. Turn off the good servers. Prime the daisy chain. Turn on the good servers. Try to retrieve the answer. This simulates spoofed answers being accepted by the end of the daisy chain. >> Summary of key points: >> - Clarification of unvalidated data in DNSSEC, as a complement to RFC >> 4033-4035 > > I'm not sure if this is unclear? > >> - Demonstration of a new Denial-of-Service attack surface on >> DNSSEC-validating resolvers due to their reuse of cached unvalidated data > > Which DNS resolvers are currently misimplementing things for this to be a > concern? > > Paul > >> - Recommendations on how to cache and reuse DNSSEC-unvalidated data to >> mitigate the DoS risk >> We welcome feedback from the community. We would be happy to discuss this in >> a future DNSOP session. >> Best regards, >> Shuhan Zhang >> Tsinghua University >> > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
