DVE-2018-0003: inaccurate NSEC3 answer results in domain unreachability if the resolver applies aggresive negative caching
Multiple domains were found to return inaccurate NSEC3 record, stating that only TXT records exist for the zone even if other RR types are returned by the name server. Resolvers with aggressive caching enabled will synthesize NODATA answers for other query types until the incorrect NSEC3 record expires from the resolver cache. This effectivelly leads to DoS for affected domains.
Known domains affected in late 2018 (it is expected there are lot more):
wwww.cezdistribuce.cz
cezonline.cez.cz
On June 30th 2021, a related but slightly different failure was observed in postbank.de.
For easy referencing, this new failure is registered separately as DVE-2021-0001.
Query for AAAA RR type returns NSEC3 RR for name www.cezdistribuce.cz. (n02ft24jq9ak9stjtpjo3hg8mu8r6a88) which states that only TXT RR exists:
$ nsec3dig 89.111.73.200 53 www.cezdistribuce.cz AAAA
Reply to question for qname='www.cezdistribuce.cz', qtype=AAAA
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1 cezdistribuce.cz. IN SOA 86400 ns10.cez.cz. netmaster.cezdata.cz. 2018071202 28800 7200 864000 86400
1 cezdistribuce.cz. IN RRSIG 86400 SOA 10 2 86400 20180916183059 20180909183059 45818 cezdistribuce.cz. GbMRBbu385sqhlsnDJ6q88ES/AnoN0JG+P1/nljBt5kmZpfYcyjiAfXrlaOLCpsnTfeJaAw+rljwA5jtkoeqvDmnujyGI944oeHl8DL/1KJPDEEjvVy+rGsAX2NUSVyQTbQiA9Tk8HKzeBcaIkxfqsG2zu5AX+3PpDnwUJvfVAI=
1 cezdistribuce.cz. IN RRSIG 86400 SOA 10 2 86400 20180914102111 20180907102111 26051 cezdistribuce.cz. MB1vhNWLKBJwy3h+PUEQPbMXoKDBYQr/wW9tslXoAgwEM3uQ+FDGrOdzZU3KylGn8nIOUc+pbtMUZpmca9kxnUlUHS4WWN173ZZs6DRDZBanv0MDxrYx0obnlbdEvV63UqBLxykIXgP34U/dB2tDBM0MzzNxDIL7CQG+sY6E6fs=
1 n02ft24jq9ak9stjtpjo3hg8mu8r6a88.cezdistribuce.cz. IN NSEC3 86400 1 0 1 1dfeee00fae21dc1 N02FT24JQ9AK9STJTPJO3HG8MU8R6A89 TXT
1 n02ft24jq9ak9stjtpjo3hg8mu8r6a88.cezdistribuce.cz. IN RRSIG 86400 NSEC3 10 3 86400 20180915115634 20180908115634 45818 cezdistribuce.cz. Wyhzc0I295n4orLAtp/XxKmQvdJB4pj1WkfU3VBU7ohmKPrDDgU8KE+5ifOy2UDZ7cXqcjGv270zzTSmGNwGS3HcKl3du+POoVMGhox77Dxk3rwP+XyaO7Mdp+a2vv8kFNqEEPt9tdm2qf1o+vXe18kymigBCwAiHnoNK9c3Ys8=
1 n02ft24jq9ak9stjtpjo3hg8mu8r6a88.cezdistribuce.cz. IN RRSIG 86400 NSEC3 10 3 86400 20180915115634 20180908115634 26051 cezdistribuce.cz. jFTSlBCQ2VE7EHWyezZA0u8PhG5WTDhf3prUyO41LkWReLz6GE6OAgKdzpjVZOk49Ni4HwMwP2eEx5PjH0aO/cgjEMwWShNd3AjN3BZvyXVWg9ZUY1afpfHE279stY0J02TRU/CBoEQj6zoFPjWPmD589VhxPIMXeVesKSsLH/8=
2 . IN OPT 32768
== nsec3 prove/deny report follows ==
www.cezdistribuce.cz. (n02ft24jq9ak9stjtpjo3hg8mu8r6a88) proven by base of n02ft24jq9ak9stjtpjo3hg8mu8r6a88..n02ft24jq9ak9stjtpjo3hg8mu8r6a89
qname found proven, NODATA response?
At the same time query for A RR type returns a valid answer with an IPv4 address:
$ nsec3dig 89.111.73.200 53 www.cezdistribuce.cz A
Reply to question for qname='www.cezdistribuce.cz', qtype=A
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
0 www.cezdistribuce.cz. IN A 30 89.111.76.140
0 www.cezdistribuce.cz. IN RRSIG 30 A 10 3 30 20180916182239 20180909182239 45818 cezdistribuce.cz. g7wM+iOlkG9JzOYs7xIrtOaqJ5S7uC5nrGmIqVk6hvck7NWM9ImGBrXg2dONz5ugNhlJf0ILtBBUZA2RhAyxER+pxce8xehDpJCbxJUKIyavq9Fvn/ld3YdbNpS66tsUGEgf13JwSWJgAIJkxlTTfC1McjjAyVtviKKe074WFDw=
0 www.cezdistribuce.cz. IN RRSIG 30 A 10 3 30 20180914102108 20180907102108 26051 cezdistribuce.cz. rgjsziyHj8oFFWTtiNZ/B9v6phtNGVWvKVbLiAeG9Y/RIYP6cvLQgqEa6Wq9Sepg8lQdXCKCDWcT2qzgUgfYXUzNX0e6szzPTfDoIURY16gx+73WyaMFIARHNeNp7axUtAjpPXMdhDB7Gb9pdijUu9gRo2Pav9VwiEh+Id1X/Ck=
2 . IN OPT 32768
== nsec3 prove/deny report follows ==
== qname found in names, investigating NSEC3s in case it's a wildcard
The nameserver or load balancer vendor should fix code generating NSEC3 records to include all record types available at given owner name.
- Lowering TTL on the nameserver for the non-existent record could minimize the impact but any TTL > 0 will cause problems.
- Disabling DNSSEC validation for the domain on validating resolver will ensure reachability of the domain at price of will lowering security of given domain.
None at the moment.
Submit-Date: 2018-09-11