> On 17. 3. 2025, at 23:16, Willem Toorop <wil...@nlnetlabs.nl> wrote: > > And in addition to that prevents all unsigned parts of the hijacked zone to > be rewritten. For example if com is hijacked, unsigned zones like google.com > can be redirected. Similarly if the root is hijacked all unsigned responses > for the entire DNS can be rewritten. > NS revalidation of signed delegations is the only mitigation that protects > against on-path or partly on-path attacks.
Willem, this part caught my eye. Can we elaborate a little bit more? 0. With full 'on-path' attacker - there's no protection of unsigned zones with or without NS revalidation. Hope we can agree on this. So, what do you mean by partly on-path then? There's 26 IP addresses for the RZ, there's 26 IP addresses for .com and .net. 1. If the attacker sits on the 1-26 IP addresses for the .com/.net, the unsigned zones are not protected, right? The attacker can give whatever the GLUE they want. 2. If the attacker sits on 1-26 IP addresses for the RZ, this is where the NS revalidation will possibly help for validating resolver. It will not do any good for non-validating resolver, there's no difference as the attacker can just either directly hijack the name by returning the data, or return own referral. Now, correct me if I'm wrong – the whole NS revalidation process protects only DNSSEC-enabled resolvers against attacks on the unsigned domains against attackers on-path to the parent zone. Every other scenario is either directly vulnerable or can be worked around by the attacker. I get your point that this might improve the situation a little bit, but I don't share the conclusion that this is worth the effort and the additional complexity. Thanks, Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
