[Pdns-users] pdns_recursor and records in additional section of replies
Thomas Mieslinger
miesi at india.com
Wed Jan 23 13:08:40 UTC 2019
Hi Remi,
On 1/23/19 10:04 AM, Remi Gacogne wrote:
> [..] >> In short I would like that pdns_recursor does not use information from
>> additional sections. Just like pdns authoritative 4.1.x does not
>> generate additional sections anymore.
>
> Completely ignoring additional records would break zones that need glue
I understand that the additional section must exist for zone glue.
> records to resolve, at the very least. What are you trying to achieve?
It is rumored that the attack described by Bert
https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/ is
based on tweaked additional sections using fragments.
Lets take the output of
dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de
as an example. If the additional section was tweaked, pdns_recursor has
no real chance to detect this.
Asking all other authoritative servers from the authority section is
already done if I interpret the output of rec_control trace-regex
correctly. A well prepared attacker should be able to tweak the
additional section of the other delegating nameservers too, so that an
attacked pdns_recursor ends up with something other than
ns-de.ui-dns.de. A 217.160.80.193 in the cache.
So I either filter away fragments (for the recursors) or I dnssec sign
ui-dns.de (on my authoritative servers) to be safe.
What do you think?
Thomas
More information about the Pdns-users
mailing list