Open-Xchange: Recursor accepts unsigned, empty NXDOMAINs in secure zones

Hi! This is a slightly edited version of the email I sent to the project’s security contacts on 2020-04-21.

Open-Xchange confirmed it and asked me to resubmit it here.

Subject: Recursor may be accepting unsigned, empty NXDOMAINs in secure zones

I can easily reproduce this against Cloudflare’s authoritative DNS (see below). I put “may be” in the subject because I’m uncomfortable sounding a red alert without checking another authoritative implementation, but I don’t know something available off hand.

Background: Cloudflare’s authoritative DNS service has a funny issue where it will return an NXDOMAIN with no SOA or DNSSEC records if the query name has a : in it. (They know and don’t want to change it.) Try it with anything – :.cloudflare.com, foo:bar.mattnordhoff.net, whatever.

$ dig +dnssec +norecurse @dana.ns.cloudflare.com foo:bar.mattnordhoff.net

; <<>> DiG 9.17.1 <<>> +dnssec +norecurse @dana.ns.cloudflare.com
foo:bar.mattnordhoff.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2420
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net.      IN      A

;; Query time: 3 msec
;; SERVER: 2606:4700:50::adf5:3a69#53(2606:4700:50::adf5:3a69)
;; WHEN: Tue Apr 21 20:23:38 UTC 2020
;; MSG SIZE  rcvd: 53

$ dig +dnssec +norecurse @dana.ns.cloudflare.com foo:bar.mattnordhoff.net ds

; <<>> DiG 9.17.1 <<>> +dnssec +norecurse @dana.ns.cloudflare.com
foo:bar.mattnordhoff.net ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60683
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net.      IN      DS

;; Query time: 3 msec
;; SERVER: 2606:4700:50::adf5:3a69#53(2606:4700:50::adf5:3a69)
;; WHEN: Tue Apr 21 20:24:41 UTC 2020
;; MSG SIZE  rcvd: 53

A few minutes ago in #powerdns we were talking about wacky characters in DNS labels, so I queried that, and… got a supposedly authenticated NXDOMAIN back from PowerDNS Recursor!

$ dig +dnssec foo:bar.mattnordhoff.net

; <<>> DiG 9.17.1 <<>> +dnssec foo:bar.mattnordhoff.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3681
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net.      IN      A

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 21 20:25:59 UTC 2020
;; MSG SIZE  rcvd: 53

I’m running 4.4.0-alpha0.78.master.g63544077f and 4.4.0-alpha0.273.master.g8b82ded0a.

I can also reproduce it with Quad9: Their Unbound instances return SERVFAIL and their PowerDNS Recursor instances return NXDOMAIN. (You can tell them apart by the advertised EDNS buffer size in responses.)

$ dig +dnssec $(uuidgen | sed s/-/:/g).mattnordhoff.net @dns.quad9.net

; <<>> DiG 9.17.1 <<>> +dnssec
ce845380:447d:470a:8db9:9f29c7604913.mattnordhoff.net @dns.quad9.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26361
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ce845380:447d:470a:8db9:9f29c7604913.mattnordhoff.net. IN A

;; Query time: 89 msec
;; SERVER: 2620:fe::9#53(2620:fe::9)
;; WHEN: Tue Apr 21 20:28:24 UTC 2020
;; MSG SIZE  rcvd: 82

$ dig +dnssec $(uuidgen | sed s/-/:/g).mattnordhoff.net @dns.quad9.net

; <<>> DiG 9.17.1 <<>> +dnssec
5f8c5c62:06f8:42e2:b834:39aa866b0788.mattnordhoff.net @dns.quad9.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;5f8c5c62:06f8:42e2:b834:39aa866b0788.mattnordhoff.net. IN A

;; Query time: 113 msec
;; SERVER: 2620:fe::9#53(2620:fe::9)
;; WHEN: Tue Apr 21 20:28:50 UTC 2020
;; MSG SIZE  rcvd: 82

Impact

An active network attacker can spoof NXDOMAIN within secure zones. The correct behavior is only SERVFAIL, but the difference could result in things like turning off DANE in SMTP connections.