[Pdns-users] pdns_recursor and records in additional section of replies

Thomas Mieslinger miesi at india.com
Wed Jan 23 13:08:40 UTC 2019


Hi Remi,

On 1/23/19 10:04 AM, Remi Gacogne wrote:
> [..] >> In short I would like that pdns_recursor does not use information from
>> additional sections. Just like pdns authoritative 4.1.x does not
>> generate additional sections anymore.
> 
> Completely ignoring additional records would break zones that need glue

I understand that the additional section must exist for zone glue.

> records to resolve, at the very least. What are you trying to achieve?

It is rumored that the attack described by Bert 
https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/ is 
based on tweaked additional sections using fragments.

Lets take the output of

dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de

as an example. If the additional section was tweaked, pdns_recursor has 
no real chance to detect this.

Asking all other authoritative servers from the authority section is 
already done if I interpret the output of rec_control trace-regex 
correctly. A well prepared attacker should be able to tweak the 
additional section of the other delegating nameservers too, so that an 
attacked pdns_recursor ends up with something other than 
ns-de.ui-dns.de.	A 217.160.80.193 in the cache.

So I either filter away fragments (for the recursors) or I dnssec sign 
ui-dns.de (on my authoritative servers) to be safe.

What do you think?

Thomas


More information about the Pdns-users mailing list