[Pdns-users] pdns_recursor and records in additional section of replies
miesi at india.com
Wed Jan 23 13:08:40 UTC 2019
On 1/23/19 10:04 AM, Remi Gacogne wrote:
> [..] >> In short I would like that pdns_recursor does not use information from
>> additional sections. Just like pdns authoritative 4.1.x does not
>> generate additional sections anymore.
> Completely ignoring additional records would break zones that need glue
I understand that the additional section must exist for zone glue.
> records to resolve, at the very least. What are you trying to achieve?
It is rumored that the attack described by Bert
based on tweaked additional sections using fragments.
Lets take the output of
dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de
as an example. If the additional section was tweaked, pdns_recursor has
no real chance to detect this.
Asking all other authoritative servers from the authority section is
already done if I interpret the output of rec_control trace-regex
correctly. A well prepared attacker should be able to tweak the
additional section of the other delegating nameservers too, so that an
attacked pdns_recursor ends up with something other than
ns-de.ui-dns.de. A 220.127.116.11 in the cache.
So I either filter away fragments (for the recursors) or I dnssec sign
ui-dns.de (on my authoritative servers) to be safe.
What do you think?
More information about the Pdns-users