Hi! This is a slightly edited version of the email I sent to the project’s security contacts on 2020-04-21.
Open-Xchange confirmed it and asked me to resubmit it here.
Subject: Recursor may be accepting unsigned, empty NXDOMAINs in secure zones
I can easily reproduce this against Cloudflare’s authoritative DNS (see below). I put “may be” in the subject because I’m uncomfortable sounding a red alert without checking another authoritative implementation, but I don’t know something available off hand.
Background: Cloudflare’s authoritative DNS service has a funny issue where it will return an NXDOMAIN with no SOA or DNSSEC records if the query name has a : in it. (They know and don’t want to change it.) Try it with anything – :.cloudflare.com, foo:bar.mattnordhoff.net, whatever.
$ dig +dnssec +norecurse @dana.ns.cloudflare.com foo:bar.mattnordhoff.net
; <<>> DiG 9.17.1 <<>> +dnssec +norecurse @dana.ns.cloudflare.com
foo:bar.mattnordhoff.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2420
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net. IN A
;; Query time: 3 msec
;; SERVER: 2606:4700:50::adf5:3a69#53(2606:4700:50::adf5:3a69)
;; WHEN: Tue Apr 21 20:23:38 UTC 2020
;; MSG SIZE rcvd: 53
$ dig +dnssec +norecurse @dana.ns.cloudflare.com foo:bar.mattnordhoff.net ds
; <<>> DiG 9.17.1 <<>> +dnssec +norecurse @dana.ns.cloudflare.com
foo:bar.mattnordhoff.net ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60683
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net. IN DS
;; Query time: 3 msec
;; SERVER: 2606:4700:50::adf5:3a69#53(2606:4700:50::adf5:3a69)
;; WHEN: Tue Apr 21 20:24:41 UTC 2020
;; MSG SIZE rcvd: 53
A few minutes ago in #powerdns we were talking about wacky characters in DNS labels, so I queried that, and… got a supposedly authenticated NXDOMAIN back from PowerDNS Recursor!
$ dig +dnssec foo:bar.mattnordhoff.net
; <<>> DiG 9.17.1 <<>> +dnssec foo:bar.mattnordhoff.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3681
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo:bar.mattnordhoff.net. IN A
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 21 20:25:59 UTC 2020
;; MSG SIZE rcvd: 53
I’m running 4.4.0-alpha0.78.master.g63544077f and 4.4.0-alpha0.273.master.g8b82ded0a.
I can also reproduce it with Quad9: Their Unbound instances return SERVFAIL and their PowerDNS Recursor instances return NXDOMAIN. (You can tell them apart by the advertised EDNS buffer size in responses.)
$ dig +dnssec $(uuidgen | sed s/-/:/g).mattnordhoff.net @dns.quad9.net
; <<>> DiG 9.17.1 <<>> +dnssec
ce845380:447d:470a:8db9:9f29c7604913.mattnordhoff.net @dns.quad9.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26361
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ce845380:447d:470a:8db9:9f29c7604913.mattnordhoff.net. IN A
;; Query time: 89 msec
;; SERVER: 2620:fe::9#53(2620:fe::9)
;; WHEN: Tue Apr 21 20:28:24 UTC 2020
;; MSG SIZE rcvd: 82
$ dig +dnssec $(uuidgen | sed s/-/:/g).mattnordhoff.net @dns.quad9.net
; <<>> DiG 9.17.1 <<>> +dnssec
5f8c5c62:06f8:42e2:b834:39aa866b0788.mattnordhoff.net @dns.quad9.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;5f8c5c62:06f8:42e2:b834:39aa866b0788.mattnordhoff.net. IN A
;; Query time: 113 msec
;; SERVER: 2620:fe::9#53(2620:fe::9)
;; WHEN: Tue Apr 21 20:28:50 UTC 2020
;; MSG SIZE rcvd: 82
An active network attacker can spoof NXDOMAIN within secure zones. The correct behavior is only SERVFAIL, but the difference could result in things like turning off DANE in SMTP connections.