4

DNSSEC uses NSEC (or NSEC3) records to indicate that requested domain name does not exist. NSEC has been criticized because it allows zone enumeration.

What breaks, if dnssec is implemented without nsec records, that is, what if there is no authentication of nonexistant domains? (if domain exists, response is authenticated, if domain does not exist, response is unauthenticated)

As I understand, DANE uses NSEC to protect against MITM, but do not understand exactly how. Wouldn't attacker just drop or corrupt authenticated NSEC responses?

Could it be that there is no way of knowing whether DNS response were supposed to be DNSSEC authenticated or was (proposed unimplemented) NSEC, subsequently modified by attacker to unauthenticated DNS response pointing to attacker controlled host.

Am I getting it right? Are there other problems?

yyy
  • 159
  • 1
  • 5

1 Answers1

4

If you do not authentify NXDOMAIN responses, then any attacks where the vilain can send the victim a NXDOMAIN reply before/in place of the correct answer, would be accepted by the victim's resolver and hence the attacker is able to make any domain disappear (in the view of the victim) without the victim being able to detect this attack. Hence NSEC, NSEC3 or NSEC5.

Dropping NSEC replies would be seen by the resolver, it would retry the query and then bail out saying "network error", so if this an attack it gets detected. Same for corrupting valid NSEC/NSEC3 records, since they are signed with the accompanying RRSIG record, a change in them would be detected by the victim.

And the victim knows that there is a DNSSEC enabled zone by seeing the DS record in the parent zone, needed to follow the chain of trust.

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23
  • 2
    Also, "proof of non-existence" by NSEC or NSEC3, does not authenticate only NXDOMAIN but also NODATA (the name exists but there are no resource records of the type you want). – bortzmeyer Sep 17 '17 at 19:02
  • So, summary: dropping NSEC would make dropped nxdomain and nodata responses undetectable and it would be bad for automated systems, for which DANE is typically used. For non-automated systems it could be acceptable. – yyy Oct 02 '17 at 17:09
  • I do Not understand your terminology on automated vs non automated... if i use my browser and make a typo in website address I prefer to have a clear message telling me so... instead of letting my isp or any other party hijack my nxdomain... which is possible without dnssec – Patrick Mevzek Oct 02 '17 at 17:13
  • By automated I meant things like SMTP (server to server transfers), which appears to be significant use of DANE. Non-automated would be things, where user is at least looking what is going on with things. (some time ago there was experimental support for DANE in chrome, but it has been dropped) – yyy Oct 03 '17 at 17:05
  • But DNSSEC is useful even outside DANE! – Patrick Mevzek Oct 03 '17 at 17:21
  • But if the choice is between [DNSSEC without NSEC] and [no DNSSEC at all]? – yyy Oct 05 '17 at 05:26
  • Sorry you lost me. What is DNSSEC without NSEC ??? – Patrick Mevzek Oct 05 '17 at 12:49
  • Topic of this question: variant of DNSSEC, which does not authenticates nxdomain and nodata responses (for these cases uses the same responses as ordinary DNS (the one without DNSSEC)). – yyy Oct 05 '17 at 16:57
  • There are no variants of DNSSEC in real life... You choose between nsec and nsec3 that is all. – Patrick Mevzek Oct 05 '17 at 17:49