1. DNS/unbound/harden-referral-path
/conf /sample /sample2 /動作確認 |
/sample https://twitter.com/beyondDNS/status/545379808272596992
harden-referral-pathを指定しても、referral 返答を信用して、NSを取り直しているだけのように見えるのですが、 その理解であっていますか。(これだと、いわゆる「委任インジェクション」(委譲毒)は防げない)
Kaminskyの指摘から10年:
https://twitter.com/beyondDNS/status/982623038956036096
Unboundに harden-referral-path設定が入ったのがKaminskyの指摘の直後のようなので、 Authority Sectionによる毒盛への対策だと解釈するとすっきりします。 (Mueller型への対策にはなっていないのが気になっていました。) BINDはいまだに対策していない。
https://docs.menandmice.com/display/MM660/Caching+DNS+Servers (Unbound ?)
https://bugzilla.redhat.com/show_bug.cgi?id=678899
Paul Wouters 2011-06-06 21:35:48 EDT
So there is a good reason to do this. What this option does is provide added security to non-DNSSEC domains. It looks up NS records on at least two nameservers, so that you would have to cache poison not one, but two packets successfully. If this is failing, it usually means the domain nameservers are not setup properly. The link you refer to is a bug that has been fixed. Is this really a widespread problem?
毒を信用してしまってはチェックにならない。間違いの検出くらいだろう。-- ToshinoriMaeno 2015-09-14 12:01:04
unbound-1.4.22/iterator iterator.c
if(!qstate->env->cfg->harden_referral_path || ( qstate->qinfo.qtype == LDNS_RR_TYPE_NS && (qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD) /* we know that all other NS rrsets are scrubbed * away, thus on referral only one is left. * see if that equals the query name... */ && ( /* auth section, but sometimes in answer section*/ reply_find_rrset_section_ns(iq->response->rep, iq->qchase.qname, iq->qchase.qname_len, LDNS_RR_TYPE_NS, iq->qchase.qclass) || reply_find_rrset_section_an(iq->response->rep, iq->qchase.qname, iq->qchase.qname_len, LDNS_RR_TYPE_NS, iq->qchase.qclass) ) )) { /* Store the referral under the current query */ /* no prefetch-leeway, since its not the answer */ iter_dns_store(qstate->env, &iq->response->qinfo, iq->response->rep, 1, 0, 0, NULL); if(iq->store_parent_NS) iter_store_parentside_NS(qstate->env, iq->response->rep); if(qstate->env->neg_cache) val_neg_addreferral(qstate->env->neg_cache, iq->response->rep, iq->dp->name); }