positive answer can be masked out using SOA+RRSIG
Let's have following signed DNS zone:
nsec.example. 3600 IN NS ns.nsec.example.
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
ns.nsec.example. 3600 IN A 192.0.2.3
*.nsec.example. 3600 IN A 10.6.6.6
An attacker is able to copy SOA+RRSIG SOA records and use these to create fake NODATA answer for query missing-nsec-masked-data.local.nsec.example. IN A
:
missing-nsec-masked-data.local.nsec.example. IN A
SECTION ANSWER
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
nsec.example. 3600 IN RRSIG SOA 8 2 3600 20170419140236 20170320140236 41524 nsec.example. gZCIxxFWL04vgzuNbZYq3Ghb7OZsZCp1WCcByM602yEgf0IUk8KSqkol pTe
m3IXQELhFTzbddGFV3Cis5MxZq8XjNbSwXelbUkOkKE4EzDcpldtR yqGnp+ZdZhBrymZvS8dOhwOGllF6AobXx7iFHaY7wtC17XvODduxOBdV mQ/t2QDUnl+Io3s1KfDRf4e22WvtatlQNr9NW+PueeGtGhEdDeyR7VMA fxE
qL6Lds7NWN7DPKfsCVgUNkwHzy9opQ64AyVyQAmwRohuon652jKiu MbvJ1vaLxJLeDBnnT3hbMrI/CIfmjqucSOgM9JNXXggIcfBxok5Ze2R5 SL35VA==
ENTRY_END
This passes validation in kresd
:
Exception: sets/resolver/nsec_wildcard_no_data_response.rpl step 21 line 269, "flags": expected 'QR RD RA', got 'QR RD RA AD' in the response:
id 1063
opcode QUERY
rcode NOERROR
flags QR RD RA AD
edns 0
eflags DO
payload 4096
;QUESTION
missing-nsec-nodata.local.nsec.example. IN CNAME
;ANSWER
;AUTHORITY
;ADDITIONAL
- kresd: 4a037c10
- test: deckad@618ecf14186a67e0205cee3770c335ca0ef751b2 sets/resolver/nsec_wildcard_no_data_response.rpl