[DNSOP] [dnsop] New Draft: Handling Unvalidated Data during DNSSEC Troubleshooting (draft-zhang-dnsop-dnssec-unvalidated-data-00)
张淑涵 <zhangsh22@mails.tsinghua.edu.cn> Wed, 07 May 2025 12:45 UTC
Return-Path: <zhangsh22@mails.tsinghua.edu.cn>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C381C25DFFD1 for <dnsop@mail2.ietf.org>; Wed, 7 May 2025 05:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.696
X-Spam-Level:
X-Spam-Status: No, score=-2.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=mails.tsinghua.edu.cn
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_Ab7Jw-aM3h for <dnsop@mail2.ietf.org>; Wed, 7 May 2025 05:45:18 -0700 (PDT)
Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.229.168.213]) by mail2.ietf.org (Postfix) with ESMTP id A79B825DFFC9 for <dnsop@ietf.org>; Wed, 7 May 2025 05:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mails.tsinghua.edu.cn; s=dkim; h=Received:Date:From:To:Subject: Content-Type:MIME-Version:Message-ID; bh=rP/Y55sNBhmDpt5jREwCzsF J0kbsFeexyXpZNjorT6c=; b=XFa2Y1N72ZsuakjDr77yyo1Kt6Xgzwoz+fHoSAq KvUeKQOVlostEP98GvndtMi07M+fJC02rM+GEJymYAXp9G4ev/JfKB2OWKKASayl 7PnTose9hZ4uz34PDVHcZabbNaEBOK/pplYT1nU12obk1qL+qEtUD3Z65RoO3Jw1 WoPI=
Received: from zhangsh22$mails.tsinghua.edu.cn ( [58.206.205.165] ) by ajax-webmail-web2 (Coremail) ; Wed, 7 May 2025 20:45:13 +0800 (GMT+08:00)
X-Originating-IP: [58.206.205.165]
Date: Wed, 07 May 2025 20:45:13 +0800
X-CM-HeaderCharset: UTF-8
From: 张淑涵 <zhangsh22@mails.tsinghua.edu.cn>
To: dnsop@ietf.org
X-Priority: 3
X-Mailer: Coremail Webmail Server Version 2024.2-cmXT5 build 20241203(b57fbc57) Copyright (c) 2002-2025 www.mailtech.cn mispb-4df55a87-4b50-4a66-85a0-70f79cb6c8b5-tsinghua.edu.cn
Content-Type: multipart/alternative; boundary="----=_Part_428475_656159725.1746621913076"
MIME-Version: 1.0
Message-ID: <716aa40e.1ddc2.196aac757f4.Coremail.zhangsh22@mails.tsinghua.edu.cn>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: yQQGZQB3y8TZVRtovFquCA--.39361W
X-CM-SenderInfo: x2kd0wdvksjqxpdlz2oowvx0pjkxthxhgxhubq/1tbiAgUPCWga8i xTFwABso
X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU=
Message-ID-Hash: FELHO6TD3YULDA5YOILRCNDMYYGAN4DA
X-Message-ID-Hash: FELHO6TD3YULDA5YOILRCNDMYYGAN4DA
X-MailFrom: zhangsh22@mails.tsinghua.edu.cn
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] [dnsop] New Draft: Handling Unvalidated Data during DNSSEC Troubleshooting (draft-zhang-dnsop-dnssec-unvalidated-data-00)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5y6i86QjhYv-fYkgdp5emcUspm8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hello DNSOP WG, It’s my honor to share our recently submitted draft titled “Handling Unvalidated Data during DNSSEC Troubleshooting” (draft-zhang-dnsop-dnssec-unvalidated-data-00). Draft link: https://datatracker.ietf.org/doc/draft-zhang-dnsop-dnssec-unvalidated-data/ Given the design complexity and the prevalence of misconfigurations of DNSSEC, many DNS resolvers support troubleshooting mechanisms by the public, during which the received DNS data are not enforced to be validated. However, as this draft demonstrated, this could open a new attack surface, where attackers can abuse the troubleshooting mechanism to inject forged data to the resolver’s cache, and trigger persistent domain resolution failure due to the reuse of the cached unvalidated data. To mitigate such risk, this draft proposes recommendations for DNSSEC-validating resolvers on how to cache and reuse DNS data introduced during DNSSEC troubleshooting. This draft indicates that the data intended for troubleshooting can have severe but overlooked impact on the routine functioning of DNS. Hence, it aims to raise the community’s awareness on handling DNSSEC troubleshooting data with more cautious, so as to prevent any potential abuse. Summary of key points: - Clarification of unvalidated data in DNSSEC, as a complement to RFC 4033-4035 - Demonstration of a new Denial-of-Service attack surface on DNSSEC-validating resolvers due to their reuse of cached unvalidated data - Recommendations on how to cache and reuse DNSSEC-unvalidated data to mitigate the DoS risk We welcome feedback from the community. We would be happy to discuss this in a future DNSOP session. Best regards, Shuhan Zhang Tsinghua University
- [DNSOP] [dnsop] New Draft: Handling Unvalidated D… 张淑涵
- [DNSOP] Re: [dnsop] New Draft: Handling Unvalidat… Paul Wouters
- [DNSOP] Re: [dnsop] New Draft: Handling Unvalidat… Ondřej Surý
- [DNSOP] Re: [dnsop] New Draft: Handling Unvalidat… Mark Andrews
- [DNSOP] Re: [dnsop] New Draft: Handling Unvalidat… Philip Homburg
- [DNSOP] Re: [dnsop] New Draft: Handling Unvalidat… zhangsh