Hi Remi,
On 1/23/19 10:04 AM, Remi Gacogne wrote:
[..] >> In short I would like that pdns_recursor does not use information from
additional sections. Just like pdns authoritative 4.1.x does not
generate additional sections anymore.
Completely ignoring additional records would break zones that need glue
I understand that the additional section must exist for zone glue.
records to resolve, at the very least. What are you trying to achieve?
It is rumored that the attack described by Bert
https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/ is
based on tweaked additional sections using fragments.
Lets take the output of
dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de
as an example. If the additional section was tweaked, pdns_recursor has
no real chance to detect this.
Asking all other authoritative servers from the authority section is
already done if I interpret the output of rec_control trace-regex
correctly. A well prepared attacker should be able to tweak the
additional section of the other delegating nameservers too, so that an
attacked pdns_recursor ends up with something other than
ns-de.ui-dns.de. A 217.160.80.193 in the cache.
So I either filter away fragments (for the recursors) or I dnssec sign
ui-dns.de (on my authoritative servers) to be safe.
What do you think?
Thomas
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
