[DNSOP] Re: [dnsop] New Draft: Handling Unvalidated Data during DNSSEC Troubleshooting (draft-zhang-dnsop-dnssec-unvalidated-data-00)

Wed, 07 May 2025 10:14:32 -0700 

On Wed, 7 May 2025, 张淑涵 wrote:


It’s my honor to share our recently submitted draft titled “Handling 
Unvalidated Data during DNSSEC Troubleshooting” 
(draft-zhang-dnsop-dnssec-unvalidated-data-00).
Draft link: 
https://datatracker.ietf.org/doc/draft-zhang-dnsop-dnssec-unvalidated-data/

Given the design complexity and the prevalence of misconfigurations of DNSSEC, 
many DNS resolvers support troubleshooting mechanisms by the public, during 
which the
received DNS data are not enforced to be validated. However, as this draft 
demonstrated, this could open a new attack surface, where attackers can abuse 
the
troubleshooting mechanism to inject forged data to the resolver’s cache, and 
trigger persistent domain resolution failure due to the reuse of the cached 
unvalidated
data. To mitigate such risk, this draft proposes recommendations for 
DNSSEC-validating resolvers on how to cache and reuse DNS data introduced 
during DNSSEC
troubleshooting. This draft indicates that the data intended for 
troubleshooting can have severe but overlooked impact on the routine 
functioning of DNS. Hence, it
aims to raise the community’s awareness on handling DNSSEC troubleshooting data 
with more cautious, so as to prevent any potential abuse.


I think DNS resolvers are already handling this properly?
paul@bofh:~$ dig +cd +short dnssec-failed.org 96.99.227.255 paul@bofh:~$ dig +short dnssec-failed.org paul@bofh:~$ 


Summary of key points:

- Clarification of unvalidated data in DNSSEC, as a complement to RFC 4033-4035


I'm not sure if this is unclear?


- Demonstration of a new Denial-of-Service attack surface on DNSSEC-validating 
resolvers due to their reuse of cached unvalidated data


Which DNS resolvers are currently misimplementing things for this to be a 
concern?

Paul


- Recommendations on how to cache and reuse DNSSEC-unvalidated data to mitigate 
the DoS risk



We welcome feedback from the community. We would be happy to discuss this in a 
future DNSOP session.






Best regards,


Shuhan Zhang

Tsinghua University





_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to