[registration-issues-wg] [CPWG] Google public DNS breaks DNS resolution

lutz at fitug.de lutz at fitug.de
Tue Apr 30 11:22:54 UTC 2019


I recently came across this really mad idea by Google engineers:
https://developers.google.com/speed/public-dns/docs/security#nonce_prefixes

They try to protect against DNS spoofing by adding entropy in queries to
root/TLD name servers.
That's a braindead idea, because they can query all those servers using
DNSSEC, which invalidates the reasoning itself.

But the more important point is, that this solution is based on a misguided
understanding of DNS itself.

Let's take for instance "www.uit.int" as an example.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1;; QUESTION
SECTION:
;www.uit.int.           IN A
;; ANSWER SECTION:
www.uit.int.            CNAME   www.itu.int.
www.uit.int.            RRSIG   CNAME 7 3 86400 2019...
;; AUTHORITY SECTION:
itu.int.                NS      ns.itu.ch.
itu.int.                NS      ns2.itu.ch.
itu.int.                NS      ns3.itu.ch.
[DNSSEC stuff]

So we do get a resolution and a delegation.

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48110
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; QUESTION SECTION:
;nonce-for-dummies.www.uit.int. IN A
;; AUTHORITY SECTION:
int.                    SOA     sns.dns.icann.org. ...
[lot of DNSSEC NSEC3 non-existence proofs]

But the modified request does not reveal even a hint, that the original
query might be successful.

If necessary, I'm happy to discuss the basics of DNS directly to the
engineer, if somebody makes a contact.
This discussion will include "non empty non-terminals" and the difference
between DS and DNSKEY, both issues where Google public DNS fails.

_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg


More information about the registration-issues-wg mailing list