[RSSAC Caucus] Threat Mitigation for the Root Server System
Mukund Sivaraman
muks at mukund.org
Thu Oct 3 07:35:50 UTC 2019
Hi Michael
On Wed, Oct 02, 2019 at 02:42:37PM -0400, Michael Casadevall wrote:
> Helium is the authoritative name for the li694-22 zone. Boron is the
> backup server and replicates via AXFR from helium. The li694-22 is not
> signed in any way. For these tests, I'm accessing the recursive
> resolvers from another machine, specifically neon, one of our database
> nodes.
>
>
> Helium's named options relating to DNSSEC are only set as follows:
> named.conf.options: dnssec-validation auto;
>
> When requesting hydrogen's AAAA record with DO=1:
>
> mcasadevall at neon:~$ dig @helium.li694-22 hydrogen.li694-22 AAAA +dnssec
>
> ; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @helium.li694-22
> hydrogen.li694-22 AAAA +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58352
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;hydrogen.li694-22. IN AAAA
>
> ;; ANSWER SECTION:
> hydrogen.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:1ded
>
> ;; AUTHORITY SECTION:
> li694-22. 3600 IN NS helium.li694-22.
> li694-22. 3600 IN NS boron.li694-22.
>
> ;; ADDITIONAL SECTION:
> boron.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:c4bf
> helium.li694-22. 3600 IN AAAA 2600:3c00::f03c:91ff:fe6e:1d88
>
> ;; Query time: 0 msec
> ;; SERVER: 2600:3c00::f03c:91ff:fe6e:1d88#53(2600:3c00::f03c:91ff:fe6e:1d88)
> ;; WHEN: Wed Oct 02 17:45:52 UTC 2019
> ;; MSG SIZE rcvd: 171
>
> I get an AA record, but no signed results. This should be SERVFAIL
> because there's no chain from root. Notably, running a test against a
> known bad domain fails as expected:
Isn't "li694-22." a fake domain that only exists on your authoritative
server "helium"? And it is unclear if you're also running a fake root
zone as in the 1st case you'd described. It's not entirely clear without
seeing all the zone's contents and nameserver config.
Anyway, here you're querying helium directly for
"hydrogen.li694-22./AAAA". helium is an authoritative for "li694-22." as
you've noted - authoritative server algorithm does not perform DNSSEC
validation (it is resolver algorithm that does). Basically helium is
serving the unsigned "li694-22." zone in this case in isolation. It
serves no DNSSEC records because none exist, and returns AA=1.
The nameserver (one that has both authoritative and resolver
functionality) prefers to return authoritative data when it is available
over cached data.
Mukund
More information about the rssac-caucus
mailing list