DNSSEC Downgrade Attacks

The presentation discusses DNS security threats and countermeasures.

• There are various DNS security threats, including impersonation of authoritative name servers, downgrading to weaker signatures, and text to break security.
• Countermeasures against impersonation include requiring the strongest present digest to be used for validation and hoping for zone migration away from weaker algorithms.
• Countermeasures against downgrading include insisting on signatures of the strongest algorithm.
• DNS validation logic assigns security states to data, including secure, bogus, indeterminate, and insecure.
• Insecure records can be caused by unsupported digest types or algorithms.
• The presentation provides examples of how attackers can exploit DNS vulnerabilities.

The presentation mentions that less than 10% of the top 500,000 Trancodomains are secured using the NSA algorithm. This illustrates the prevalence of DNS security threats and the need for countermeasures.

In this talk, we show that the cryptographic agility in DNSSEC, although critical for making DNS secure with strong cryptography, also introduces a severe vulnerability. We demonstrate that adversaries, by manipulating the cryptographic material in signed DNS responses, can reduce the security level provided by DNSSEC, or, even worse, prevent resolvers from validating DNSSEC at all. We experimentally and ethically evaluate our attacks against popular DNS resolver implementations, public DNS providers, and DNS services worldwide. We validate the success of DNSSEC-downgrade attacks by poisoning the resolvers: we inject fake records, from our own signed domains, into the caches of validating resolvers. Our findings show that major DNS providers, popular resolver implementations, and many other DNS services are vulnerable to our attacks.