From: Anders Kaseorg <andersk@mit.edu>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: dnsmasq-discuss@thekelleys.org.uk, cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Fri, 03 Oct 2014 05:28:35 -0400 [thread overview]
Message-ID: <542E6C43.9030002@mit.edu> (raw)
In-Reply-To: <535FA793.8020502@thekelleys.org.uk>
I just ran into this timeout behavior myself while testing the new
DNSSEC support in OpenWrt 14.07 (dnsmasq 2.71-4). After staring at the
problem for a few hours, I think there’s something wrong with your
justification.
On 04/29/2014 09:22 AM, Simon Kelley wrote:
> To do that, we need to find proof (NSEC or NSEC3 records) that a DS
> doesn't exist somewhere between ds.test-ipv6.com and the root. Bear in
> mind that dnsmasq is a DNS forwarder, not a recursive DNS server, so it
> doesn't know where the zone cuts are.
>
> The current strategy it to start at ds.test-ipv6.com and do DS queries.
> There are three possible results.
>
> unsigned NOERROR -> chop one label off the RHS and repeat
> DS record -> definite Bad Guy activity, return BOGUS
> signed no DS record -> we expect unsigned original answer, return
> INSECURE result.ds.test-ipv6.com
This bottom-up algorithm also seems to have a security problem that’s
just as bad as one with the top-down algorithm that you rejected below.
Consider the same department.campus.university.edu example, where
campus and edu are signed zones, and university is not a zone.
• An attacker forges an evil response for A department, and forges an
unsigned NODATA for DS department.
• dnsmasq chops off one label, and the attacker forges an unsigned
NODATA for DS campus.
• dnsmasq chops off another label, and gets the legitimately signed
NODATA for DS university.
• dnsmasq incorrectly concludes that everything inside university is
expected to be unsigned, and returns the INSECURE evil response.
So if nothing else, the top-down algorithm seems less impractical and
equally insecure. And maybe we can fix it; see below.
> The other alternative approach is to start from the root and add labels,
> but that has a problem.
>
> Consider
>
> department.campus.university.edu
>
> where there are zone cuts between university and edu and between
> department and campus.
>
> All the zones are signed, so if we look up something under .department,
> we expect a signature, if we don't get it, we check
>
> DS .edu gives an answer
> DS university.edu gives secure NODATA
>
> secure no DS means that the original unsigned answer should be accepted,
> except that it shouldn't. There's no way to distinguish between secure
> lack of DS because we've reached an unsigned branch of the tree, and
> secure lack of DS because we're not at a zone cut, except if we know
> where the zone cuts are, and we don't.
Having just looked through RFC 5155 for clues: isn’t that the purpose of
the NS type bit in the NSEC3 record? In this example, DS university
would give an NSEC3 record with the NS bit clear. That signals that we
should go down a level and query DS campus. In this case we find a
signed DS there. But if we were to find an NSEC3 with the NS bit set,
then we’d know that we’ve really found an unsigned zone and can stop
going down.
Anders
next prev parent reply other threads:[~2014-10-03 9:28 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 16:55 Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37 ` Dave Taht
2014-04-28 18:56 ` Dave Taht
2014-04-28 19:32 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45 ` Aaron Wood
2014-04-28 23:24 ` Phil Pennock
2014-04-29 13:22 ` Simon Kelley
2014-04-29 20:57 ` Phil Pennock
2014-04-30 17:26 ` Dave Taht
2014-05-01 18:37 ` Simon Kelley
2014-05-01 20:26 ` Rich Brown
2014-05-01 22:27 ` Dave Taht
2014-05-02 14:30 ` Sebastian Moeller
2014-05-01 18:35 ` Simon Kelley
2014-05-02 16:40 ` James Cloos
2014-10-03 9:28 ` Anders Kaseorg [this message]
2014-10-03 17:28 ` [Cerowrt-devel] " Valdis.Kletnieks
2014-10-03 21:35 ` Anders Kaseorg
2014-10-04 21:45 ` Anders Kaseorg
2015-01-08 16:34 ` Simon Kelley
2015-01-08 17:44 ` Dave Taht
2015-01-08 18:07 ` Simon Kelley
2015-01-08 19:52 ` Dave Taht
2015-01-09 8:52 ` Dave Taht
2015-01-09 15:36 ` Simon Kelley
2015-01-09 16:49 ` Simon Kelley
2015-01-09 21:34 ` Dave Taht
2015-01-10 15:37 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542E6C43.9030002@mit.edu \
--to=andersk@mit.edu \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dnsmasq-discuss@thekelleys.org.uk \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox