4

I have been reading for several hours about DNSSEC and I'm still failing to understand how it protects from MITM attacks. I have also read every question here on serverfault related to DNSSEC.

Please have a look at this DNSSEC packet capture : https://www.cloudshark.org/captures/79e23786259b

What stops the MITM from intercepting every query, and reply back with its own keypairs for every DNSKEYS, RRSIG and DS records ?

For example, the MITM would generate RRSIG for www.ietf.org, then DNSKEYS for ietf.org, then DS record for ietf.org. And then another set of DNSKEYS and DS records for "org", and then again for <Root>.

In TLS, we can trust the chain of trust with CAs because Root CAs are pre-installed on every systems, so we can check the replies against it. In DNSSEC, I do not believe the root DNSKEY is installed on systems like Root CAs are. So what makes it that we can trust this root key that we receive ?

alexander.polomodov
  • 1,068
  • 3
  • 10
  • 14
pHeoz
  • 163
  • 7
  • 1
    `In TLS, we can trust the chain of trust with CAs because Root CAs are pre-installed on every systems, so we can check the replies against it.` That isn't entirely accurate. There is malware today that replaces CA certificates on clients, which makes a MITM attack trivial. This is why more vendors and providers are implementing certificate pinning, to trust only CA certificates with specific keys. – Greg Askew Jul 13 '18 at 13:01

2 Answers2

5

This problem is solved with a chain of trust: every link in this chain has signed DS record(s) in the previous zone, as already mentioned in your question. This emphasizes the significance of an anchor at the root name servers. If this was spoofed, the whole chain of trust was compromised. Therefore, resolvers must be pre-configured with the trust anchor. RFC 6781 explains:

4.2.3. Compromises of Keys Anchored in Resolvers

A key can also be pre-configured in resolvers as a trust anchor. If trust anchor keys are compromised, the administrators of resolvers using these keys should be notified of this fact. Zone administrators may consider setting up a mailing list to communicate the fact that a SEP key is about to be rolled over. This communication will of course need to be authenticated by some means, e.g., by using digital signatures.

End-users faced with the task of updating an anchored key should always verify the new key. New keys should be authenticated out-of- band, for example, through the use of an announcement website that is secured using Transport Layer Security (TLS) [RFC5246].

You can download the Current Root Trust Anchors (bind.keys) directly from the Internet Systems Consortium. The site is protected using TLS & the file is also signed with their signing key.

If you don’t have anything in named.conf and there is no bind.keys file, named will use the compiled in keys.

Note: these are managed keys, so this is only applies the first time you execute named. Assuming that the keys are not already expired (in which case named will log that the key is expired and validation will not work), named will use RFC 5011 to detect new keys and automatically roll and maintain keys. Once named is managing the keys, the current keys will be in managed-keys.bind or *.mkeys, if you use views.

Another problem is the communication with your resolver, the "last mile". The resolver may be validating the signatures and answering with the DNS Authenticated Data (AD) bit, but as DNS works in plain text, the results could be modified by a man-in-the-middle (MITM) attacker. There are multiple possible solutions to this:

  • You could have an own local resolver having the anchor keys file, but this is not quite a practical solution for masses. It also causes more traffic to the root name servers, if there's no forwarders configured. It's a trust-no-one solution, where you verify the signatures by yourself.

  • DNS-over-TLS & DNS-over-HTTPS. E.g. Cloudflare with their 1.1.1.1 supports both:

    What's needed is a move to a new, modern protocol. There are a couple

of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers (e.g., QUIC) and new technologies like server HTTP/2 Server Push. Both DNS-over-TLS and DNS-over-HTTPS are open standards.

We think DNS-over-HTTPS is particularly promising — fast, easier to parse, and encrypted. – – We're hoping that with an independent DNS-over-HTTPS service now available, we'll see more experiments from browsers, operating systems, routers, and apps to support the protocol.

  • DNSCrypt authenticates communications between a DNS client and a DNS resolver using cryptographic signatures. This has never been proposed to the IETF (there's no RFC).
Community
  • 1
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Ultimately, with DANE you'll get two independent validations for your TLS certificates, using both CA and DNSSEC. Using multiple layers mitigates any possible trust issues with each. (And the user bypassing all the warnings will waste all the efforts.) – Esa Jokinen Jul 13 '18 at 12:42
  • So my point is correct : resolver to nameserver communications are secured, but client to resolver are not. It sounds like it completely defeats the purpose of DNSSEC. Just like HTTPS gets defeated by SSLstrip without HSTS. Is there an equivalent of HSTS for DNSSEC ? – pHeoz Jul 13 '18 at 13:16
  • Combination of trusted DNSSEC enabled resolver and DNS-over-TLS client communication does the trick. DNSSEC does its part on this pretty well. – Esa Jokinen Jul 13 '18 at 14:10
  • Right, I was just reading about DNS over TLS, and it seems you have to specify a hostname in addition to the server IP to validate the certificate your receive. Why they didn't use certificates with the IP of the server as Common Name is hard to understand, it seemed to be the perfect opportunity to use this feature. Anyway, DNSSEC now makes more sense ! – pHeoz Jul 13 '18 at 14:18
  • *Is there an equivalent of HSTS for DNSSEC ?* No need for, as soon as the parent zone has a DS, it means that the zone is DNSSEC enabled. Of course the parent zone DS and its associated signatures must have a valid trust path up to the root. – Patrick Mevzek Jul 14 '18 at 03:12
0

Besides Esa Jokinen extensive reply, let us go back to:

I do not believe the root DNSKEY is installed on systems like Root CAs are. This is the false assumption you have that creates then all the consequences that you are right to describe.

But the root DNSKEY is indeed shipped with the resolvers. Which creates itself other problems, specially in the wake of planned change of this key (it was planned for last october but got postponed).

You have indeed a DNSSEC bootstrap. The software must have the key out of band but also may need to update it. What happens if you buy a product today, hence shipped with current key, leave it like that for 2 years and then power it on, where the current DNSKEY root key will have been replaced by another one?

You can imagine many things like... let us grab the key from IANA website through HTTPS of course! Except that to do that you need to resolve IANA website name and hence you depend on DNS and the associated DNSSEC that you are just trying to configure. And you will not of course harcode IANA website IP addresses either. Or you can imagine just relying on TLS since you could even exchange DNS/DNSSEC chains of trust during TLS handshake... except that it means you need to ship with a CA certificate, which can itself change (even if we can say for now that CA certificates lasts/will last longer than DNSSEC root key... except that with Let's Encrypt we could also imagine a future with shorter CAs...), so back to square one.

Chicken and egg problem.

You can learn more about this problem and solutions to it in this document for example: https://datatracker.ietf.org/doc/draft-jabley-dnsop-bootstrap-validator/ This document discusses an approach for automatic configuration of trust anchors in a DNSSEC validator.

An if you already have a valid (current) DNSSEC root key, there is a specific procedure to follow to automatically switch, securely, to newer keys when they will happen: Automated Updates of DNS Security (DNSSEC) Trust Anchors

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43