Hello DNSOP WG,
It’s my honor to share our recently submitted draft titled “Handling
Unvalidated Data during DNSSEC Troubleshooting”
(draft-zhang-dnsop-dnssec-unvalidated-data-00). Draft link:
https://datatracker.ietf.org/doc/draft-zhang-dnsop-dnssec-unvalidated-data/
Given the design complexity and the prevalence of misconfigurations of DNSSEC,
many DNS resolvers support troubleshooting mechanisms by the public, during
which the received DNS data are not enforced to be validated. However, as this
draft demonstrated, this could open a new attack surface, where attackers can
abuse the troubleshooting mechanism to inject forged data to the resolver’s
cache, and trigger persistent domain resolution failure due to the reuse of the
cached unvalidated data. To mitigate such risk, this draft proposes
recommendations for DNSSEC-validating resolvers on how to cache and reuse DNS
data introduced during DNSSEC troubleshooting. This draft indicates that the
data intended for troubleshooting can have severe but overlooked impact on the
routine functioning of DNS. Hence, it aims to raise the community’s awareness
on handling DNSSEC troubleshooting data with more cautious, so as to prevent
any potential abuse.
Summary of key points:
- Clarification of unvalidated data in DNSSEC, as a complement to RFC 4033-4035
- Demonstration of a new Denial-of-Service attack surface on DNSSEC-validating
resolvers due to their reuse of cached unvalidated data
- Recommendations on how to cache and reuse DNSSEC-unvalidated data to mitigate
the DoS risk
We welcome feedback from the community. We would be happy to discuss this in a
future DNSOP session.
Best regards,
Shuhan Zhang
Tsinghua University
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
