> > > Another limitation I've mentioned before, where DNSSEC doesn't protect you, > is that a delegation could be falsified such that traffic goes to an > eavesdropper that just records but doesn't modify messages. > > but on most networks you connect to that you don't trust, they could > just be monitoring all your port 53 traffic anyway? I don't see this > much as a use case. An attacker that cannot see your traffic, but could > get to see your DNS root queries but only briefly if you cache or > actually use the root zone you just transfered from them. Also query > minimalization makes that use case very uninteresting. > > While it is easy to misunderstand what Duane is referencing, or perhaps there was some minimization on his part as well, there is a weakness caused by the unsigned nature of delegations, whereby not protecting (e.g. via zonemd) a publication point against a host of vulnerabilities, by protecting the data itself, creates a very attractive target that lets an adversary scale their attack very effectively.
Here's the gist of the problem, inherent in unsigned glue: IF (big if, with the how/when/where etc kept as a separate discussion) an attacker manages to modify glue (for example, poisoning a resolver's cache for glue info), the attacker has the opportunity to selectively return unmodified glue, or to replace further glue data (and continue to be a DNS-MITM) and thus both view queries, and if/when the queries cross to insecure delegations, modify non-glue data. For example, if there is a TLD "foo", and the attacker manages to poison the A record for one (or more) names of NS for "foo", the attacker can act as a forwarder for most *.foo names, but then selectively modify the A records for the NS for "bar.foo", and then for "blech.bar.foo", until there is an insecure delegation, at which point the attacker can spoof any RR type for any name below that zone cut. The attacker also has control over TTLs of any/all spoofed records, modulo recursive resolver's TTL ceiling/floor. The attacker can gain further information about the ongoing success of attacks by TTL-based meta-monitoring (high TTL on delegation glue, low TTL on sub-delegation glue, observe sub-delegation re-queries at the spoofed delegation point.) Even in the case of an all-DNSSEC sub-tree, some attackers may see value in observing ALL the queries (and answers);being a DNS-MITM (via modified glue) achieves this, even for an off-path attacker who normally would not have any visibility to the UDP/53 packets. The above scenario works even on networks you trust, and even with resolvers you know and trust, as long as there is the ability to attack the glue. A single successful attack on a single resolver's glue has the potential to result in a persistent long-lived DNS exploit, the scope of which is largely limited by the attackers resources and/or intent and/or desire to evade detection. Application of such an exploit is an exercise in Kaminsky, i.e. the danger is obvious. IMHO, this is the antithesis of "uninteresting". The theoretical existence of this sort of attack, should be motivation enough to advocate for greater DNSSEC deployment efforts. It should motivate any and all methods of preventing undetected (and undetectable) modification of glue records when copies of zone data are retrieved. A centralized distribution point without data integrity protection of some kind, becomes a very scalable place for an attacker to do bulk attacks against large numbers of resolvers. A centralized distribution point WITH data integrity protection that scales, provide protection against both centralized AND decentralized (direct cache poisoning) attacks, thus justifying the effort on doing this exact thing. Brian Dickson P.S. Documenting aspects of the more-than-theoretical poisoning attacks are long overdue; when time permits, I will work on this, possibly with interested parties. Any/all are welcome to work on this with me, FYI.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
