Kiall, there's a typo in the screenshot “their [z]one pointing”.
I think the description of the attack is a bit misleading. I would expect that some resolvers use the name server A record from glue. Then the attacker can serve a zone with a non-minimal reply which overrides the entire zone NS RRset, hijacking the zone. The second part is necessary to bypass the trust ranking rules. I am not sure if resolvers can actually filter out such glue records.
I'm surprised that the PowerDNS documentation says that out-of-zone-additional-processing defaults to off. This doesn't match what I saw in my experiment. I will raise this with PowerDNS upstream.
Can we delay updating this documentation until PowerDNS has had a chance to respond, please?
Kiall, there's a typo in the screenshot “their [z]one pointing”.
I think the description of the attack is a bit misleading. I would expect that some resolvers use the name server A record from glue. Then the attacker can serve a zone with a non-minimal reply which overrides the entire zone NS RRset, hijacking the zone. The second part is necessary to bypass the trust ranking rules. I am not sure if resolvers can actually filter out such glue records.
I'm surprised that the PowerDNS documentation says that out-of- zone-additional -processing defaults to off. This doesn't match what I saw in my experiment. I will raise this with PowerDNS upstream.
Can we delay updating this documentation until PowerDNS has had a chance to respond, please?