IETF Logo Mail Archive

[DNSOP] Re: Potentially interesting DNSSEC library CVE

"Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de> Wed, 24 July 2024 07:08 UTC

Return-Path: <thomas.bellebaum@aisec.fraunhofer.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C8AC1F6F8C for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 00:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.007
X-Spam-Level:
X-Spam-Status: No, score=-7.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.b="oSEt0ezo"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.b="bFdVrs6K"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlmSITWwfQDM for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 00:08:52 -0700 (PDT)
Received: from mail-edgeMUC220.fraunhofer.de (mail-edgemuc220.fraunhofer.de [192.102.154.220]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 775BBC1E725E for <dnsop@ietf.org>; Wed, 24 Jul 2024 00:08:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1721804931; x=1753340931; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Rj2p2jA0JiEVlaxsUZa8qohemGybeuMumCVKzAdUY0Y=; b=oSEt0ezo9fXdssUSGIjN8gEG7+Htvg2n21Zd/PekniELAp/bnYewM89B 8kfLolPU3wVHc4ZwkGO8uO8N/khWBZ5pLyGKlj3SgPRZW6K1kQGxx0/Pd YNJb274fCDbTtqlGDA4tXZNVpwb/Nrn2tX7TAiqefO+pF49yHM4TP0N+x +yzadbXLIbOX0zb9atSAb+iab+rIOzYnqbbcUFzTChYK60lsp5B9ftTC5 sauEQgz2o14FKzpCAdWRWqTC+3Bl5/XtfeKZQD+NgMFC9V1f9hxpLkudN rimIMD3dUP6+VOeqEG6K9vrYg0bNcD8vCh9xSWatIgk1cXgLMhmMM/DKB g==;
X-CSE-ConnectionGUID: CPN4Av75R2G8f5E/jWpQUQ==
X-CSE-MsgGUID: aJdB25kHQaCSKULTogKyVg==
Authentication-Results: mail-edgeMUC220.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com
X-IPAS-Result: A2GlBgDep6Bm/x0BYJlagQmBT4JEegKBZIRWkW+DWRmYcIEsgSUDGD4PAQEBAQEBAQEBBwEBMRMEAQEDBIR/AhaJJCc1CA4BAgEDAQEBAQMCAwEBAQEBAQEBAQUBAQYBAQEBAQEGBwKBHYUvRgEMhAplCTgBAQEBAQEBAQEBAQEBARsCNQhOAQQBIxEMAQE3AQQLAgEIGgImAgICLxUQAgQOgwaCMAMOI682gTKBAYIMAQEGgmbYPhiCRAkJAYEQLoNvhE4BgV2IcoIMQ4EVNYJ1PoRYg0aCaZlOhDaHRyYLgRuMZAlLexwDWSETAVUTFws+HQIWAxsUBDAPCQsmKQY5AhIMBgYGWTIJBCMDCAQDQgMgcREDBBoECwdyBYFxgTQEE0YBDYEqiV0KgycpgUkmhBuBNYN7gWsMYYd2YoEPgT6BYAFJgRmBZUuDaIIcHUADC209NRQbQ6o5hASDJQFhGJZXi3ujEwMEA4IzgWGhTzOXSZJzmG0glkGSAgIEAgQFAg8IgWkBghNxgzYJSRkPkhvLb3gCOQIHCwEBAwmIcC2BTwEB
IronPort-PHdr: A9a23:u7va/xPNeXrNETwZCm8l6nZXDBdPi9zP1nM99M9+2PpHJ7649tH5P EWFuKs+xFScR4jf4uJJh63MvqTpSWEMsvPj+HxXfoZFShkFjssbhUonBsuEAlf8N/nkc2oxG 8ERHEQw5Hy/PENJH9ykIlPIq2C07TkcFw+6MgxwJ+/vHZXVgdjy3Oe3qPixKwUdqiC6ZOFeJ Qm7/z7MvMsbipcwD6sq0RLGrz5pV7Z9wmV0KFSP2irt/sri2b9G3mFutug69slGA5W/Wp99Y KxTDD0gPG1w38DtuRTZZCek5nYXUTZz8FJCA13/7kviBJXY6gn7m9R50TmBAP//HakzWTmnw LZhRQLNlSIsCR0r2W3qu5RB2fE+wlqr8hZRz7DOe9+2D9ldQOTdXNkYFFtTT55OBxxbM7ORQ I8QEchQHsF0v4bNowQ1tQasQk79X8r9yQ0S31+r+6Nr89l9LQrHwws/AvEktFLTqcfTLroOC 9+l1u6RwhqYQapn3C3S7qHmbTI7ocnTXYp0X9PazXAIBwTstnqgoLfKFjSRxsEjtzTE97d4D OO2llMDqypIoQP/wMIthdHpuLhF9F+a/mJQ+dcVNOOaTxsoKc7hEYFXsTmdLZczWM45XmV07 T4z0aZV0XbaVC0DyZBiyhLQZtm6WNLSulTtTu+MJzd/in9/Pr6y1F6+8kmln/X1TdL8kE1Lo SxMjsTWuzgT2gbS5MmKRro1/kqo1TuVkQGGwu9eKF0yla3VJoRnxbg1l5EJtl/EEDOwk0Lz5 JI=
X-Talos-CUID: 9a23:BDCguWnmh0w3VOiT/mz3vcBD4gjXOVbl6iv5PRDlMzxGGLPIZBiSx7tdrvM7zg==
X-Talos-MUID: 9a23:5vqmpwrxHcAKFkRJQcQezzhAOO0yvqeOMUkmqrY7n/WDOg9hBTjI2Q==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,232,1716242400"; d="scan'208";a="2543902"
Received: from mail-mtaka29.fraunhofer.de ([153.96.1.29]) by mail-edgeMUC220.fraunhofer.de with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 24 Jul 2024 09:08:47 +0200
X-CSE-ConnectionGUID: Vbn6F0W8QOONW8A0P8uZeA==
X-CSE-MsgGUID: ZfHL/lkqSsOpGLAEo3+yXw==
IronPort-SDR: 66a0a87e_vD8tLqGMHsEsCixaBKvEfbGTK+MEkjGMqppxHxRyuHdc0po wqMHIRQSm8QZhVIaVT+kYyHCi/XEHFgOKV8cgIg==
X-IPAS-Result: A0CmLQBUp6Bm/3+zYZlaHQEBAQEJARIBBQUBQAkcgRcHAQsBgXFSBz41AlyBCIRVg0wDhS2GT4IkOAGDIBmYcIEsgSUDVg8BAwEBAQEBBwEBMRMEAQGFBgIWiSECJzUIDgECAQECAQEBAQMCAwEBAQEBAQEBAQUBAQUBAQECAQEGBYEOE4V1AQyGXgEBAQIBEhERDAEBFCMBBAsCAQgaAiYCAgIvBw4QAgQOJ4JfgjADDiMCAgKiSQGBQAKLIoEygQGCDAEBBgQEgl7YPhiCRAkJAYEQLgGDboROAYFdiHKCDEOBFTWCdT6IHoJpmU6ENodHJguBG4xkCUt7HANZIRMBVRMXCz4dAhYDGxQEMA8JCyYpBjkCEgwGBgZZMgkEIwMIBANCAyBxEQMEGgQLB3IFgXGBNAQTRgENgSqJXQqDJymBSSaEG4E1g3uBawxhh3ZigQ+BPoFgAUmBGYFlS4NoghwdQAMLbT01FBtDqjmEBIMlAWEYlleLe6MTAwQDgjOBYaFPM5dJknOYbSCWQZICAgQCBAUCDwEBBoFpATmBWXGDNglGAxkPjiGDest6RTMCOQIHCwEBAwmIcC2BTQEB
IronPort-PHdr: A9a23:V5+nmxX4fFr1eU7Kdlz6VKUbq9fV8KyzVDF92vMcY89mbPH6rNzra VbE7LB2jFaTANuIo/kRkefSurDtVSsa7JKIoH0OI/kuHxNQh98fggogB8CIEwv8KvvrZDY9B 8NMSBlu+HToeVMAA8v6albOpWfoqDAIEwj5NQ17K/6wHYjXjs+t0Pu19YGWaAJN11/fKbMnA g+xqFf9v9Ub07B/IKQ8wQebh3ZTYO1ZyCZJCQC4mBDg68GsuaJy6ykCntME2ot+XL/hfqM+H 4wdKQ9jHnA+5MTtuhSGdgaJ6nYGe0k9khdDAFugjlnwXsLLsHHi7OhUgAubEPPyRKAvZAarv 75sSBLtpzYNOiMc7WT8tO9ipa5mkUqQ8k8aocbeNYu7OMRkZf3+RvA5ey1Bf8xTBh1TE9ujP 7sVPtosEuJHsaushHwivRSOAVaXHP79jXgZ3Vbk3p9gisR8Nw+X/DF8I9kPr3PLsfbfMIEVV PKT1rTUlwrTdbQP1himxtH5dwoOp9iiQpBqcfKOyXErORrOimy3uYvMBxyl398imm+f/89OU b7wkzM/8gBovwWLxuwVibKZgIcUxQjkyx8p/olrLpqRcR9bcOCGF84D/zHfNpFxRNslWX0to ish17ka7IayZzNZoHxG7xvWavjCdpSBwTu5BaCfOz5lgnJidr+lwRq/ogCsyez5A9G9y00C7 jFEnd/Fqm0X2lTN59KGRPpw8gbp2TuG2w3JrOARCU4unLfdK5kvz6R2kZwWsE/ZGTTxllmwh 6iTHng=
IronPort-Data: A9a23:eLY8Fq56u3vBsIVowFAkDQxRtALCchMFZxGqfqrLsTDasY5as4F+v mMWXmvSbP6Ja2ryc9x+adzl9BsEvp/TnNVrGgJupXo0Zn8b8sCt6fZ1gavT04N+CuWZESqLO u1HMoGowPgcFyKa+1H0dOC88BGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYHR7zil5 5Wq8qUzBHf/g2Qoaj1Ot/rawP9SlK2aVA0w7gRWic9j4Qe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhFXCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FbMS/LhZWV4ez Ns/Dg9dR0i71/+EzZvuH4GAhux7RCXqFJgapmkmwCHSDbAoW5neRaXN69JCmjs97ixMNa+DP IxINnw2M0WGOkcQUrsUIMpWcOOAmnn4djRD7liYoa466WHOySR40aPgO5zbYNWXQ8VSkEuC4 G7Ll4j8KkhFbIXPlmLUmp6qrt3BvQe8XIELL6af7tFOqXCUnS8COAJDADNXptH80CZSQel3M 0cUvyYotq8qsRGDU5ykGQW4oXWDvlgXXN84O+E88waV4qvZ/wjfAXILJgOtc/R/6ZRzFGNvj wDY2oqzWnpxtfueD3yH/6qSrTS8NDJTIWJqiTI4cDbpKuLL+ekbphzVR8tlEKm7g8ezHjf1w juQqzM5ialVhskOv5hXN3ie6951jsGREFRn1RadRW+/8AJyaaisYoHiuxCR7u9NIMzdBhONt WQN0ZrWpu0fL4C/pArUSsU0HZat+6mkNh/YigVRBJUPzWmm1EOiWoFy2wtAAnlVHPwKQhLTW 3+LizhtvMdSGFCIcZ5IZ5mADpV27Kr4SvXgePPmTvtPRZlTLAaorT1fVWuN7mXTi0IDr6AOC amHSOmCFX1AN6ZDyQindtcjzLYElyUM9ULOd7/GzjCM87mXVFiKQ5grbXqMaeEA6Z2fqirr8 udvCdeu4D9iWcKvfhjn1I8dFk8LJn4FHqLLq9RbW+qAAwh+EkQjNqPh+qwgcIlbgKhlrOfE0 XWjUEt+ylCkp3n4BSiVS3JkMpXDYI1eqC8lACkSIlqY4XgvToKx5qM5dZFsX70G9vRm/MFkX cs+ZMSMLfReeAvpow1HQ8HGk7VjUxC3iSalHSmvOmE/dqE9YT35wIbvew+3+RQeCiayi9AFn ISh8QHmWrsGeRVpCZfHSfCozm7ph0MnpsBJYxLqLOVQKWLWy6o7Dwzqj/QyHdMAFgWb+Buey DStIEk5ocvjntYL1efn1IG+kpeRMuphH0BlMXHRwpSoOAL7oGey449yf9yZXDLaVWiuof2pT rhRwt7aN9kCrkd7g7RhGpk6yJAOxsbdiIJb6i9GH3z7SUuhJZ09A3uB3OhJ7rZswJ0AsySIe 0u/wPtoEpTXB9HESXk/fBEEaMaH3tEqwgji1+w/ehjG1XUm7Yi5XlV3FDjSri5kdZ9eEp4vm MUls+4osz2PsAIgaIu6v3oF5la3DyIyVos8vcsnG67tsA0gz29CbbH6CiPb5JKuac1GAnI1I w271bbzuLBB+nXsK3YDN2DB/e54t6Q8vBpnyFwjJVPQvvHngvQx/gNa8BVpbwBz4yhE7dlOO TlQBxUoHZmNwjZmv9gcfmaOHwoaOgaV1HaswHQ0lUrYbXKSaErzEEMHN9ywoX8pq1BnQmAD/ ZWz6nrUbjLxTcSgggowQRFErtLgf/xQ9yrDupiuMJWZLqkffAvgvLSkSlQJmivZHfoeqlXM/ 9do2ONCeJzLCzMZjPw+Obm7yIY/dRGgD05BSMFH46kmMzz9ejaz+D7WMGG3WJpHCMLr+H+CK f5FB5xwRTXn8wjWtREdJ6oHA4Esrc4T/NBYJ4/afz8XgYWQvh9Ckcz29BGnoEQJXt83s8I2C r2JRgK4CmbK2EdlwT7cnvJlZFi9T8IPPjDn/eaP9+4MKZIPncdsfWw20Zq2p3+lCxRmzT3Fo DL8Y7Lq8MI6xbROh4fMFoBxNzewI/73V8WK91mXmPZKZtXtL8zPll00rn/KAgdoBoYSCu9Hz em1jN3K3U375ed8FyiTnpSaDKBG6PmjROcdYIq9MHBemjDEQ8P2pQcK/2ejM5FSjddB/Y+dS hClbNerP8sgMzuHKKa5twAFe/rFN5nKUw==
IronPort-HdrOrdr: A9a23:n8L4l6xAgGhBXAS4Z3s3KrPxneskLtp133Aq2lEZdPULSKOlfp GV8MjziyWYtN9IYgBcpTiBUJPwJE81bfZOkMQs1MSZLXXbUQyTXc1fBOrZsnfd8kjFmNK1up 0QCpSWZOeAbmSSyPyKmjVQcOxQj+VvkprY/ds2pk0FJWoBCsFdBkVCe32m+yVNNVB77PECZf 6hD7981lydkAMsH6OG7xc+Lor+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K13TDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/Qzd4dvfqGrCou O84SvIDP4Drk85uVvF5ScF7jOQkwrGLUWSjmNwz0GT5/ARDwhKdPapzbgpDCcxrXBQ5O2UmZ g7rl6xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuIYO5gLZvi3+9Kq1wah7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm10xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XXJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeLmzNV1wg2XwqUmGLEbQI5tlluhEU5XHNcnWDRE=
X-Talos-CUID: 9a23:QE3hFWu4LC2EqTs6pLv26SVB6IsbeHuD4i/vc3afLkBWGJTNcQ+Nyq5Nxp8=
X-Talos-MUID: 9a23:ZsanTwXPxBeGZ9Xq/A3ipBUlMMRx2L+JEG8puLgB4IqVBTMlbg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,232,1716242400"; d="scan'208";a="17018709"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaKA29.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jul 2024 09:08:46 +0200
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 24 Jul 2024 09:08:46 +0200
Received: from FR6P281CU001.outbound.protection.outlook.com (40.93.78.7) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Wed, 24 Jul 2024 09:08:46 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GFDKn8abjnFp9WTa/pYuiQ5rAR6il5jV36uQbXl/85eQcrSMxRgl39mzGSH3ri2+SPirjztHplhm9voqiPU93jI7F0MvxDxSIp3SR0D0TLi+0voWafbFN29G4dhhhLPNCvkFbe3umOvI6ZQECjhr6nDXDrBQfeztcBu8bALyHGLQ8Z9WVqJYm4Pybz6DFao+zCdvd9LNEvwqpT45FvaA7epnC8/eOgMEovHKOXGxpc1BJzemtR2kB8+uf+uEkDa08SsNudrwQlAoOI91i2OWNBUFftWR/fvRQldubP9hJFEpB1Jv0AhOWtlD73LTmwtD8/+O6LTjlIL1IA4d3K9vjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rj2p2jA0JiEVlaxsUZa8qohemGybeuMumCVKzAdUY0Y=; b=Op7gaTNmtH0/NKH6B+N+Z9UIpxJ4X5gyQSwx/i4bZ5vfDYnlnyByylVUsiWr6le4sXLAGGtXsOM7qJS7vB0sJunq1JNHLPkZBSUF8FPMffL8W0WTd8vYR49z6GSdWxd5zcwBAd8vF9fEr/m0c8ZLMqoYERrPYbgTV+q52Ayhd2U4u6E/14cnRgNdwR5NM5O+e6gYRyLn0kqyV9tszCrXZiCo4gkNJY/MURNxBriEDIY9nuxFjMl9SdU6ny53OUL8OOou220Li1RkugatGcrZdSIwzme/JcWESxZH4gnmg94xhwo+5VQZimcFLvvxI7CFMpbsX5MoWZFOwK8H2xGyaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Rj2p2jA0JiEVlaxsUZa8qohemGybeuMumCVKzAdUY0Y=; b=bFdVrs6KSKKV/hIbj9Yzy0w8XrYXEGlwvJ9KODxgXl7Spuz//93AzkZ21H5Nf9HU4TciwowuKBlNomzNrut2Wxr/1gG3F1YmrGnAFwJrhP7hPlFqclQOxoAPGXaSGAolxMFl47p5p1iquULhCQkS8nmig0HVR8Vg6c/AQ9HyVJo=
Received: from FRYP281MB3146.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:73::12) by FR2P281MB2127.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:2c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.20; Wed, 24 Jul 2024 07:08:44 +0000
Received: from FRYP281MB3146.DEUP281.PROD.OUTLOOK.COM ([fe80::3e24:f703:644c:eba8]) by FRYP281MB3146.DEUP281.PROD.OUTLOOK.COM ([fe80::3e24:f703:644c:eba8%4]) with mapi id 15.20.7784.017; Wed, 24 Jul 2024 07:08:44 +0000
From: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
To: "pch-dnsop-5@u-1.phicoh.com" <pch-dnsop-5@u-1.phicoh.com>
Thread-Topic: [DNSOP] Potentially interesting DNSSEC library CVE
Thread-Index: AQHa3QBuIAKDmm6vV0mI8eme99UHS7IFdqGA
Date: Wed, 24 Jul 2024 07:08:44 +0000
Message-ID: <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net>
In-Reply-To: <m1sWF8d-0000LsC@stereo.hq.phicoh.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: FRYP281MB3146:EE_|FR2P281MB2127:EE_
x-ms-office365-filtering-correlation-id: 4faaf4ee-6f91-4e23-7241-08dcabaf7476
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018;
x-microsoft-antispam-message-info: 4I+psSbvi1mzQ/3Hs1y6GuzxVTOTCoHGCXc/8yLzRg4aQCF5nywiV6OjB9Hh7jzqivJWQdNEKe4gzeNWvGiI/oi1Vp+TKny49uzBmC3423D+MtXiUXlhyyYM173a7OMNuPweCRg5SgRP5IKqP4X36VoulNuKZMI6qcq2BTHTy4mZ+wEyG3FkH0NE/mZoFhmRGKpp7nCkcA0EIpNzPloZmdl0ponEAW0k6WAiPiGduyMFmPZG49Cu8P9zYzazLZm0dZajPxlpsDiMXOmV3ijJjIWmzAoK9hyMVXP0gAO/jnnNHv9A853T2g4sXPCa8jWzyNgPx449YjXPoAZPe3w59xYDIsxo3f3ZWrvbyygdf8edGqgkKQZgLKgx2t90hp8hCtmZIIh+PI6GbuAhpOc2BUFPPcrsp6/2Z+mCbsO4fA06fROr1uJBnzPCCUMD1f0SM5NMsSi5S1fb6b5I77T1h72c7hqSJRlJVsOGpEqupvdq8yxDB3/oMk7AIpkowFtc91KU6aLs8tw9FIbvdRqXG4aLdej0OPGu7j/IoGIa5x9jKdex0UJNxDv2Z+anF4FyM492frCXzcGy5PEZtOXvsyeevI6zlOmaZ/VPGyugQsU4hLdmvGyjLm/JAbVISRfw6wI3ZDsDaGQ8NNJxzMPoKPWe25uByoaZbXQquDQXUYUiwza6yXMRSA181wZS4/r3x4+LlmjxSXx+ZTo+N8xg7bufKv+9dgsXYx7YU4/gYIitOfuD2mDWB6idgeXklVj5Wn4I2EFNHFhcYTT0LH+xWfRSSj8uF6W2RnmrCMkvzTNfW4kKp6VdfRxhd8JQb6VfNos7gWrP3BfWM8BcVbnWTynmis2nsrVr5dc8fUggtUayFgJ30IbWOuxCKDVFSmpQpk05YVNkdExxHbpbP4THaK1ZxY0JudHaU5e1VlTm+KsiOsC/SRXYi9g58afMuep2tx8JpRoABqXnbwkSoNZRAbehHe1Ct823VbxTkFnLNMvmjnsLBNQEWWe4heyyjPD0gJFNdrjPnZroNMoDGmqRCKMJZTvHoZbPvkWcaHcCj001f8YKzb9W7TF+U06k9JZ5lYKiAMAHzUlhfGjzur6D6eAoauVsrQX1i7ZC2avpdkTVdVFX82t2Qw6n4kObrE98yH6PEVrQpGOoTuBfDSYvX6ObUe5F8pwDYF89BJvEqO7/AefbwQZXGUJglrma+RmN9zw6JpjV1zYNioq2i8W7nhBRyYmdeSUPydyW9KM7DwwOrEHFpphIvYktEDP/Rh2GzQQjgvllb+VgeRFylyTAm1oOoBvTSRxGKnI4i190IjDTIa6G3Jiv8HMzkID0KvRXB2TOr66cqC/cElUMaxXXoRqPrR1RpYaxkOzjcDlosdjEKa18ZFQxm0F+wfzH8yneFEksbF+TOE5kGHWsT6JgLg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FRYP281MB3146.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IXfuF+RkIOqb9LIb/MQi0Siki4FNXCdOnd1+3TkvOIfi8k3+gvN9JqgLonhtt1e7cz3N0CM8SeKXLYPjJc0dnkI9LEWvmUBCWfERtpSlIcYFDvlDO1gIjEgA4oQgQy0cIGgway+bwmu6pcwPxWsqLLedOH01530QIg6E+B5YFKjHAB+SPT9P7sz7ovpTLq1iXImJOFdpjduFGtnh1/X/uAEWcxcOL5uWmOX3vjGii1Ob3jZfDQYNSE0gls32ZRxFXToREYKNJZfy61kDbEVUuDbXya377IyeU8yXi0GsKMJRKqvsaPeZeOt4LtjIBJWUj44eec3fkhZn2xIND3EosMyYyLVwK+/j2NSg0LAddKFZX3cVjlK1enV9byuVgpnLOriWCUPz6rwT4RIPwVM5qDoPUKwfPIkWuDX12ut77/HCJg8hUE1zj3e+aODRIM4UqoSvNqwLWSt8KuuRQpMV+QdZNd7m9WaHsioIVwtHF1dvmS/DXcYSAAlexx0yuPBhQmJq6pmGtgeWH4104Fz57ORJYEcrc9rWZlqemQl0xUGVSD0cvv6MF+Ouz2L6623m1QBriUdr3INLGdk+4O10ehX7yxri9eGlFSINsIpDEUYjvaIUvZfiHTcwCUZ/kVDkJil8L3oUWg+6M9OTym4KdVpk/rJtqNfPqEZ5QGnFtZnyDnZvh2VrLuMRQdH0O+nip3JYltQv0H68mlXmWpWC+a9mZRwCTSMnKXt6M/Z5K6rHyETzI7wHbFN9cWqTwbPrWbkL+uLYVbfRfLUnaA4ngVL4gvG+/NWEGfF4a6W/XGpovWutGdm3jIe+cxl87NqEBir6L8yGedEr1Kmgnj0NdR4dYO2A5jkRRoO/sIcJlqybumKVV13iSM8i6bKMxBMGCIfiLRrtMVdtNIVmA1gJvOagq+Zrk+qLHuxc/SGUp8Y7K99GL5YkoHQ6XJD3INYyIh/G9jMHBObc3EkUmLV48BoLzqf82KOZnhZ78tbAurhywETkpmuxfA30DKIbkPNv2QJA1536JrFEpAy59Uf+Dl8JCNeMzCxyJHi7CkhUTa7ya5/OJ+mUgxeIDNcCM+EBiovMQoO1VSYIReHcR8P/FlG9QjVwXkIJTcruENUfkuV4BS2BlPPiD9pxM/Ur/woG8POzyKShIx94iUQpwadUFZNJBaCDvidnxHTqY+6mt2mmFlYZOIprXdB9d2Uq5mCnk+d/NxkFq3e5FCIwXV+XgAR16QLZuXku/3eHhzpJfmjiE34f0rW1pG8wMWNvrjH5JWUg0zvYmhNwhpmorsOqVf9oITO7PSDxGqXVP1YwSPdiRqSJMusZLfr3ZXMv8OuitSgYhoJ+wmCkcxa+SWWR7elvwUghz+QyE1XnqY0nFyGUcY4EP0KKe9aBPcS4nABN/xcBkUKXBsJDvZdPacdwB4DEp4vuZSAUxCa9S91PNtNVqP80vNG7eLRTqLShpry9ojboPAfYWtFDt0SNq3t3hpgMVzF3Xdqj0sNCxm/B5YaocIkAJcfZSDskRHJCX+MMS2fqVAUmC8b2d9uoQeRQExAHfxXqBVlNcrjSVV3d8xeq1xUb0xs1A5JQsA0G6r3HPX/49u1L8eaD2cInl9jwTnmsV6hsZdJmJD54knKzUec=
Content-Type: text/plain; charset="utf-8"
Content-ID: <F5ED01F12C0D9F43A0CC1DDACE403298@DEUP281.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FRYP281MB3146.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4faaf4ee-6f91-4e23-7241-08dcabaf7476
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2024 07:08:44.0918 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JFdELiV6fOeT50T34vreu+FyPkdp7mQedR6p2TijpFJh8FVC/RUOWBRZB4wgIl2CUh7bgPrPzA7lLqXVUUNl9TaZcfJEN9Rs1rcafmfl4cKP9eU4ZIkhxIV84XRwN+3K
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB2127
X-OriginatorOrg: aisec.fraunhofer.de
Message-ID-Hash: KS7MTGHOPXMWQCRBHO4WGZQOYSEVBYPV
X-Message-ID-Hash: KS7MTGHOPXMWQCRBHO4WGZQOYSEVBYPV
X-MailFrom: thomas.bellebaum@aisec.fraunhofer.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rmdUQRQ2QnQ8wcXl2M-DqUgfvW4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

> However, it doesn't make sense to include step 4. A DNSSEC validator will  
> have taken care of step 4.

Partially. I believe the DNSSEC validation and following the CNAME-chain have to be implemented in the same routine.
This is because to perform an authenticated denial of existence, you first need to know which name and rrtype you want to prove does not exist.

Say you were querying for A-type records under a.x.example.com. A valid response would be an NXDOMAIN containing a CNAME (perhaps generated from an included and authenticated DNAME) to a.y.example.com, followed by some NSEC records proving the absence of a.y.example.com.

I would expect a minimal validator to
1. Look for A records under a.x.example.com, finding none
2. Look for CNAME records under a.x.example.com, finding one pointing to a.y.example.com, and authenticating it using the DNAME and associated RRSIG records.
3. Look for A records under a.y.example.com, finding none
4. Look for CNAME records under a.y.example.com, finding none
5. Verify that there really were no A, CNAME or DNAME records under a.y.example.com using the provided NSEC records.

In some cases (especially with recursive resolvers) this might even involve further queries to nameservers if some expected records were not found or for whatever reason.
E.g. unbound would perform steps 1 and probably 2 above, then query for another A record under a.y.example.com, even if it was already included in the first response.

This makes it quite hard to separate the relevance check from the DNSSEC validation.

- Thomas

v2.39.1 | Report a Bug | By Email | System Status