[RSSAC Caucus] Threat Mitigation for the Root Server System

Mukund Sivaraman muks at mukund.org
Thu Oct 3 07:35:50 UTC 2019 

Hi Michael

On Wed, Oct 02, 2019 at 02:42:37PM -0400, Michael Casadevall wrote:
> Helium is the authoritative name for the li694-22 zone. Boron is the
> backup server and replicates via AXFR from helium. The li694-22 is not
> signed in any way. For these tests, I'm accessing the recursive
> resolvers from another machine, specifically neon, one of our database
> nodes.
> 
> 
> Helium's named options relating to DNSSEC are only set as follows:
> named.conf.options:	dnssec-validation auto;
> 
> When requesting hydrogen's AAAA record with DO=1:
> 
> mcasadevall at neon:~$ dig @helium.li694-22 hydrogen.li694-22 AAAA +dnssec
> 
> ; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @helium.li694-22
> hydrogen.li694-22 AAAA +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58352
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;hydrogen.li694-22.		IN	AAAA
> 
> ;; ANSWER SECTION:
> hydrogen.li694-22.	3600	IN	AAAA	2600:3c00::f03c:91ff:fe6e:1ded
> 
> ;; AUTHORITY SECTION:
> li694-22.		3600	IN	NS	helium.li694-22.
> li694-22.		3600	IN	NS	boron.li694-22.
> 
> ;; ADDITIONAL SECTION:
> boron.li694-22.		3600	IN	AAAA	2600:3c00::f03c:91ff:fe6e:c4bf
> helium.li694-22.	3600	IN	AAAA	2600:3c00::f03c:91ff:fe6e:1d88
> 
> ;; Query time: 0 msec
> ;; SERVER: 2600:3c00::f03c:91ff:fe6e:1d88#53(2600:3c00::f03c:91ff:fe6e:1d88)
> ;; WHEN: Wed Oct 02 17:45:52 UTC 2019
> ;; MSG SIZE  rcvd: 171
> 
> I get an AA record, but no signed results. This should be SERVFAIL
> because there's no chain from root. Notably, running a test against a
> known bad domain fails as expected:

Isn't "li694-22." a fake domain that only exists on your authoritative
server "helium"? And it is unclear if you're also running a fake root
zone as in the 1st case you'd described. It's not entirely clear without
seeing all the zone's contents and nameserver config.

Anyway, here you're querying helium directly for
"hydrogen.li694-22./AAAA". helium is an authoritative for "li694-22." as
you've noted - authoritative server algorithm does not perform DNSSEC
validation (it is resolver algorithm that does). Basically helium is
serving the unsigned "li694-22." zone in this case in isolation. It
serves no DNSSEC records because none exist, and returns AA=1.

The nameserver (one that has both authoritative and resolver
functionality) prefers to return authoritative data when it is available
over cached data.

		Mukund

More information about the rssac-caucus mailing list