#DNS #EuDotOrg #DNSSEC
J'arrive pas à saisir mon enregistre DNSKEY pour le domaine que j'essaye de saisir, j'ai le message suivant.
L'enregistrement DS demandé ne correspond à aucune DNSKEY publiée
Pourtant, la commandedrill DNSKEY trans13nrv.eu.org lancé depuis une machine extérieure à mon serveur faisant autoritaire, me donne le résultat suivant:
(…)
trans13nrv.eu.org. 3600 IN DNSKEY 257 3 13 e0Org7Of/JK6J5LZTLnGPVLn3fR01wedEfNS0E66CDCM+0qZpwORpQjL dyoB7TVPvs2Y4SVgDQiPSy+v2M6Orw==
(…)
Elle est donc bien publique.
quelqu'un chez eu.org aurait une idée?
Le boost est très apprécié!
Authenticated #DNSSEC Bootstrapping in Knot DNS
"DNSSEC Bootstrapping allows the child zone operator to publish a signed copy of the child’s CDS/CDNSKEY records under a different name that has an existing chain of trust."
https://en.blog.nic.cz/2024/05/10/authenticated-dnssec-bootstrapping-in-knot-dns/
Setting up DNSCrypt was easier than anticipated on my Debian machine without systemd-resolved. I really like the binary distribution, which is available as a self-contained directory with the binary and sample configuration. You can run the whole thing from that portable directory and move it around or specify locations on the command line if you wanna spread it.
Also, the gradual and modular approach to the generic Linux installation was a delight to follow, always being reminded to take small and verifiable steps along the way.
For anyone interested, this is it: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux
#DNSCrypt #DNSSEC #DNS #sysadmin #debian #netsec #networksecurity #it
#Ed25519 or #ECDSA-P256 or still on some #RSA algorithms? Shorter key length is especially in DNS a benefit but still not all resolvers may be able to support this in 2024?!
New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)
(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)
Looks like DNS-OARC coordinated fixes in advance, but I don't see a centralized analysis, other than this announcement from the team who discovered KeyTrap:
https://www.athene-center.de/en/news/press/key-trap
(Details may be still partially embargoed until patching ramps up)?
Analysis:
DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.
"In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)
Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).
Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)
Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.
Details:
Two DNSSEC DoS CVEs:
CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://seclists.org/oss-sec/2024/q1/125
(KeyTrap was discovered by ATHENE - their press release here has very important detail:
https://www.athene-center.de/en/news/press/key-trap)
CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MITRE links (now populated):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868
Vulmon queries:
https://vulmon.com/searchpage?q=CVE-2023-50387
https://vulmon.com/searchpage?q=CVE-2023-50868
VulDB:
https://vuldb.com/?id.253829
Patch status:
ISC BIND (patched - vuln since 2000?):
https://fosstodon.org/@iscdotorg/111924416653890048
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://seclists.org/oss-sec/2024/q1/125
https://www.isc.org/blogs/2024-bind-security-release/
(note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)
Unbound (patched - vuln since Aug 2007):
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
https://seclists.org/oss-sec/2024/q1/126
dnsmasq (patched - 2.90 has fix):
https://thekelleys.org.uk/dnsmasq/CHANGELOG
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
Knot (patched in 5.7.1):
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
pfSense:
(Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
https://forum.netgate.com/topic/186145/unbound-cve-2023-50387-and-cve-2023-50868/1
https://redmine.pfsense.org/issues/15256
Pi-Hole (uses dnsmasq - patch available)
https://www.patreon.com/posts/dnssec-fix-98498055
https://pi-hole.net/blog/2024/02/13/fixing-two-new-dnssec-vulnerabilities/
PowerDNS (patched - all versions affected):
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://github.com/PowerDNS/pdns/pull/13781
https://github.com/PowerDNS/pdns/pull/13784
https://seclists.org/oss-sec/2024/q1/130
systemd.resolved:
[?]
OS status:
Fedora:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e24211eff0
FreeBSD:
https://cgit.freebsd.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1b
Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-50387
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-50387
https://access.redhat.com/security/security-updates/cve [?]
SUSE:
https://bugzilla.suse.com/show_bug.cgi?id=1219823
Ubuntu:
https://ubuntu.com/security/CVE-2023-50387
https://ubuntu.com/security/CVE-2023-50868
https://ubuntu.com/security/notices/USN-6633-1
Windows (Server, DNS Role):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
Package status:
BIND:
https://repology.org/project/bind/versions
dnsmasq:
https://repology.org/project/dnsmasq/versions
Unbound:
https://repology.org/project/unbound/versions
GitHub:
https://github.com/advisories/GHSA-8459-gg55-8qjj
Go (Knot module?)
https://github.com/golang/vulndb/issues/2552
Non-coverage: (no mentions known yet)
Akamai
https://www.akamai.com/blog [?]
AWS
[?]
Azure (Microsoft Server DNS?)
[?]
Cisco Umbrella:
https://umbrella.cisco.com/blog [?]
Cloudflare
https://blog.cloudflare.com/ [?]
CoreDNS
https://coredns.io/blog/ [?]
Google DNS
[?]
(The Register article (see below) says Google is aware)
Infoblox
https://blogs.infoblox.com/ [?]
Quad9 DNS
https://www.quad9.net/news/blog/ [?]
News/Press
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
Detection/Validation:
Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):
# zone signed, server DNSSEC-enabled:
$ delv example.net @8.8.8.8
; fully validated
example.net. 4437 IN A 93.184.216.34
example.net. 4437 IN RRSIG A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==# zone unsigned, server DNSSEC-enabled:
$ delv google.com @8.8.8.8
; unsigned answer
google.com. 100 IN A 142.250.69.206
Tenable:
https://www.tenable.com/plugins/pipeline/issues/165587
Exploits:
(none yet known / public, but multiple sources describe as "trivial")
#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec