Moin! On 18 Mar 2025, at 12:39, Willem Toorop wrote:
>> First, .com is signed, so I'm not sure how you'd hijack it as a whole. > > With an NS revalidating resolvers this is impossible, because the > authoritative parent side .com NS RRset is signed. > > A resolver that does not do NS revalidation uses the unsigned .com NS RRset > from the root zone, and can as such be redirected to the kind of proxy you > describe below. Every resolver that does validation even without that can totally validate any answer from com, so you don’t need re validation for protecting against a signed TLD takeover as the DS from the root authenticates it. It really doesn’t matter who sends you this information. That is what DNSSEC was designed for. >> Second, let's say I run a proxy between the .com server and your resolver, >> and I manipulate unsigned delegations, but forward everything else (so that >> things expected to DNSSEC-validate do actually validate). For my fake >> unsigned delegations, I make sure that my nameservers serve the same fake NS >> RRsets on the child apex. -- If your resolve now does NS re-validation, how >> does that prevent me from rewriting those unsigned delegations? > > It does not. And the proxy can also rewrite the delegations of signed zones, > by rewriting the unsigned parent side NS RRsets and glue (leaving the signed > DS as is). > > But with the latter, a DNSSEC validating NS revalidating resolver will > ultimately reject the rewritten referral of DNSSEC signed zones, because it > requires the authoritative and DNSSEC signed child side of the cut NS RRset. Until the time the signed NS RRset points to servers that are unresponsive, and this is something I have seen more then once in real life. Also if the zone is signed it really doesn’t matter where the answer comes from and the only use case you may protect against is the case where - The name servers for an unsigned zone are in another signed zone in the same TLD - The attacker is on path between the resolver and the TLD, but not on the path between the resolver and the zones name server This IMHO is a too small gain for the complexity re validation adds to the resolver. There is nothing in the world other than DNSSEC that will protect you against any attacker that has full path access behind the resolver. So long -Ralf ——— Ralf Weber _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
