tickets #129694
open
DNS NSEC Notification for opensuse.org
Added by pjessen almost 2 years ago.
Updated 10 months ago.
Description
The below was sent to postmaster@o.o by emailsecurity@notify.cispa.de
Hello,
as part of a study on email security and the support of OPENPGPKEY and SMIMEA mechanisms in particular, we analyzed the DNS zone of opensuse.org.
It came to our attention that the zone is supporting the NSEC mechanism for DNSSEC-authenticated denials of existence. Specifically, NSEC is known to allow third-parties to easily enumerate all records in a DNS zone. This can be used by attackers to gain valuable information about your network architecture and to launch targeted attacks against your infrastructure.
We therefore recommend switching to the NSEC3 record type. NSEC3 provides hashed versions of the record names, which increases the difficulty for attackers to enumerate your DNS zone. Additionally, NSEC3 allows for the use of a salt, which adds an extra layer of protection against pre-computed attacks.
To switch to NSEC3, you will need to modify your DNS configuration to include NSEC3 records instead of NSEC records. This can be done using your DNS management tools, and your DNS service provider should be able to assist you in making the necessary changes.
In case you have any questions or need any assistance, please do not hesitate to reply to this notification.
Kind regards,
Birk Blechschmidt
- Category set to Core services and virtual infrastructure
I know it's easy to do with PowerDNS, however I don't know about the Bind stuff we have in front of it.
- Private changed from Yes to No
- Category changed from Core services and virtual infrastructure to DNS
- Status changed from New to In Progress
- Assignee set to crameleon
For testing, I enabled NSEC3 for opensuse.bar. I mostly opted for settings recommended by RFC5155, the ISC and PowerDNS - which are SHA1 hashing, no opt-out, no salt, but one additional iteration. If I don't find any issues I'll roll it out to more zones and eventually to {,infra.}opensuse.org.
Second wave - enabled for all opensuse-project* domains.
crameleon@chip:/home/crameleon>
while read zone
do
echo $zone
pdnsutil set-nsec3 $zone '1 0 1 -'
pdnsutil rectify-zone $zone
pdnsutil increase-serial $zone
notify_all.sh $zone
done < <(pdnsutil list-all-zones |grep ^opensuse-project)
To test, I use the following on some machine on the internet:
# test NSEC3PARAM is populated
georg@eros ~> for i in (seq 1 4); dig +short @ns$i.opensuse.org opensuse-project.org nsec3param; end
1 0 1 -
1 0 1 -
1 0 1 -
1 0 1 -
# test NSEC3 records exist, and RRSIG records reflect NSEC3
georg@eros ~> for i in (seq 1 4); dig @ns$i.opensuse.org opensuse-project.org +dnsse +noall +authority nsec; echo; end
opensuse-project.org. 43200 IN SOA ns1.opensuse.org. admin.opensuse.org. 2024071802 7200 7200 1209600 86400
opensuse-project.org. 43200 IN RRSIG SOA 13 2 43200 20240801000000 20240711000000 13952 opensuse-project.org. MH2dfcu+eSFX4X8kTiP328y7mReLB9h4jdKVMgadPqD5k+XgSDpLlVAa HzM5/5LAkRJFyZFEprfyFXtlSxJJeA==
g0jggtb1qo2i99va5mb5dbtdpcdoj80v.opensuse-project.org. 43200 IN NSEC3 1 0 1 - 9DAU1GUGKM32OO421SQU4SOCG4J08AB9 A NS SOA TXT AAAA RRSIG DNSKEY NSEC3PARAM
g0jggtb1qo2i99va5mb5dbtdpcdoj80v.opensuse-project.org. 43200 IN RRSIG NSEC3 13 3 43200 20240801000000 20240711000000 13952 opensuse-project.org. 6eue1zML/SLLtYCiKZyPRTzlFJP0OVJa0L0Yk+s9IzUiN9gtUwUU3b8z PjlG20XeMvmRD9SmRVyeDh+yjr94PQ==
< snip - same output 4 times, ideally ;-) >
# verify DNSSEC
georg@eros ~> delv @dns.quad9.net opensuse-project.org
; fully validated # <- good
opensuse-project.org. 43200 IN A 195.135.221.140
opensuse-project.org. 43200 IN RRSIG A 13 2 43200 20240801000000 20240711000000 13952 opensuse-project.org. JUbBGK8ZBhvo5pCkYGF667dhdlBqaJ9fH1TlrkQ2ACLf9I1EDUmWnzxt cnwRTVYSLLlCp08AUmUPo+D3FDvLbA==
Also available in: Atom
PDF