wildcard answer can be used to mask explicit answers from the same range
There is a bug in wildcard proof validation. Let's suppose we have DNS zone with following records:
- *.nsec.example. 3600 IN A 10.6.6.6
- explicita.nsec.example. 3600 IN A 203.0.113.1
- explicita2.nsec.example. 3600 IN A 203.0.113.2
Right now an attacker is able to fool kresd
using this technique:
- query for
a.local.nsec.example. IN A
- modify obtained answer: rename owner name
a.local.nsec.example.
toexplicita2.nsec.example.
- return this modified answer to queries for
explicita2.nsec.example.
Observed results:
-
kresd
91dd2c6d returnsNOERROR
answer withAD
flag set. -
unbound-1.5.10-1.fc25.x86_64
detects this and answers withSERVFAIL
Work-in-progress test is available in deckard@247687632ebdf1ac934e0992500fc00e745c5d73 sets/resolver/nsec_wildcard_answer_response.rpl.