Skip to content

iterate: update zone cut when NS is authoritative for both parent and child

Marek Vavrusa requested to merge marek/fix-parentchild-insecure-delegation into master

In some cases the NS is authoritative for both parent and the child side of the delegation (e.g. nrl.navy.mil). When it gets the query for such NS, it can respond from the child side with an NS record in the answer and AA=1. The resolver should update the zone cut accordingly, otherwise it would fail validation in cases when the child-side of the delegation is insecure, but parent side of the delegation is secure, because the child side would respond without DNSSEC records, and it wouldn't indicate that the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).

The example that reproduces it is www.nrl.navy.mil, the problem is when the resolver reaches the nrl.mil.zonecut:

[52781][resl]         => querying: '152.229.110.235' score: 72 zone cut: 'navy.mil.' qname: 'NrL.NAvY.mIl.' qtype: 'NS' proto: 'udp'
[52781][iter]         <= rcode: NOERROR
[52781][iter]         <= found cut, retrying with non-minimized name

It's in fact the same nameserver as for navy.mil and returns this:

$ kdig @152.229.110.235 NS nrl.navy.mil
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53423
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; nrl.navy.mil.       		IN	NS

;; ANSWER SECTION:
nrl.navy.mil.       	1677	IN	NS	ns1.nrl.navy.mil.
nrl.navy.mil.       	1677	IN	NS	ns2.nrl.navy.mil.

The resolver will treat this as an authoritative answer (as it should) and retries without minimisation. It however doesn't update its zone cut to nrl.navy.mil (which is signed), so it expects a signed answer in the next query, but gets:

$ kdig @152.229.110.235 A www.nrl.navy.mil
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62333
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.nrl.navy.mil.   		IN	A

;; ANSWER SECTION:
www.nrl.navy.mil.   	1949	IN	A	132.250.5.100

It retries for RRSIG, but doesn't get anything and ends with a bogus NODATA proof, which would be correct if the delegation was navy.mil, but the server is answering from the nrl.navy.mil delegation.

Merge request reports