resolved DNSSEC validation can be bypassed by MITM

[AgentOak]

systemd version the issue has been seen with

251.8-1-manjaro

Used distribution

Manjaro

Linux kernel version used

5.15.81-1-MANJARO

CPU architectures issue was seen on

x86_64

Component

systemd-resolved

Expected behaviour you didn't see

When DNSSEC=yes is set and querying a DNSSEC-enabled domain, systemd-resolved should only accept records that are signed correctly.

Unexpected behaviour you saw

systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Please note that I have repeatedly tried to report this issue to the systemd-security mailing list. I sent a mail with the details and reproduction steps to the systemd-security address on Oct 6th, Oct 14th and Oct 22nd. I first received a reply on Oct 24th from Lennart Poettering, asking for some basic system information, which I provided on the same day. Then I received no further reply, so I sent the report one more time to systemd-security on Nov 7th. The next day Poettering replied to my previous mail, asking for a debug log, but not directly acknowledging the issue. I sent debug logs on Nov 10th and haven't heard back from anyone since then.

Steps to reproduce the problem

The issue can be reproduced with an unbound server and a typetransparent local-zone to simulate an attacker modifying select records. cloudflare.net is used as an example domain since it is signed and valid. In this example, the DNS server is run on 192.168.1.1 and the systemd client has any address in the same /24 network.

unbound.conf:

server:
  # Allow running unbound unprivileged
  username: ""
  use-syslog: no
  chroot: ""
  pidfile: ""

  interface: 0.0.0.0
  port: 10053
  access-control: 192.168.1.1/24 allow

  local-zone: www.cloudflare.net typetransparent
  local-data: "www.cloudflare.net. 3600 IN A 1.2.3.4"

forward-zone:
  name: .
  forward-addr: 1.1.1.1
  forward-addr: 1.0.0.1
  forward-first: no

1. On the "attacker" machine, install unbound and run unbound -d -v -c unbound.conf.
2. On the machine running systemd-resolved, run sudo systemd-resolve --set-dns 192.168.1.1:10053 --set-dnssec yes --interface enp0s3. (Replace IP and interface name accordingly).
3. Run resolvectl status to confirm our DNS server is used and output contains DNSSEC=yes/supported.
4. Run resolvectl query cloudflare.net which should produce the correct reply and Data is authenticated: yes, confirming that the domain is DNSSEC-signed.
5. Run resolvectl query www.cloudflare.net:

$ resolvectl query www.cloudflare.net
www.cloudflare.net: 1.2.3.4                    -- link: enp0s3

-- Information acquired via protocol DNS in 25.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

systemd-resolved accepts the bogus response. Running dig @127.0.0.53 www.cloudflare.net also shows the status is NOERROR. When resolved is configured as system resolver (e.g. through /etc/resolv.conf), curl -v http://www.cloudflare.net tries to connect to 1.2.3.4, showing that applications are successfully tricked with the manipulated record.

Note that resolved does state the data is unauthenticated and also does not set the AD bit when queried on 127.0.0.53.

Repeat the test but replace typetransparent with static in the unbound configuration. In this case, resolved rejects the response as expected:

$ resolvectl query www.cloudflare.net
www.cloudflare.net: resolve call failed: DNSSEC validation failed: no-signature

(Note that due to another bug #24827, resolved will still reply with the records on 127.0.0.53, but it has status: SERVFAIL, so applications generally won't use this answer)

The difference is that static replaces all data for the www.cloudflare.net domain, whereas typetransparent only replaces the A record(s). Both strip the RRSIG records from affected queries.

My knowledge on DNS isn't great, but as far as I know no unsigned record should be allowed anywhere under the zone cloudflare.net, unless there was an insecure delegation (NS record without corresponding DS record).
However, it appears only signatures of some types of records actually matter to resolved, for example the SOA record. The RRSIG signatures on A/AAAA (and probably more) records can simply be stripped and resolved will accept the data without ensuring its validity.

Additional program output to the terminal or log subsystem illustrating the issue

systemd-resolved debug logs, including all output after running `resolvectl query www.cloudflare.net` are posted in this gist, separate for the typetransparent and the static test case: https://gist.github.com/AgentOak/11c64ff8701c4cd853d6b99382a40704

[pemensik]

Yes, I confirm this is a serious bug. It allows downgrading to unsigned responses, which are accepted by resolved just fine. Anyone who just strips signatures can forge anything they want.

Reproduced that on systemd-253.5-6.fc39.x86_64. I have used www.example.org, which is signed also.

# resolvectl query -t a www.example.org
www.example.org IN A 127.0.0.1

# resolvectl
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub
       DNS Servers: 127.0.0.1

Link 2 (host0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 127.0.0.1
       DNS Servers: 127.0.0.1
# delv www.example.org
;; broken trust chain resolving 'www.example.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
# delv @localhost www.example.org
;; insecurity proof failed resolving 'www.example.org/A/IN': 127.0.0.1#53
;; validating www.example.org/A: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving 'www.example.org/A/IN': ::1#53
;; resolution failed: insecurity proof failed

# drill -k /var/lib/unbound/root.key -D www.example.org
;; Number of trusted keys: 1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48044
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; www.example.org.	IN	A

;; ANSWER SECTION:
www.example.org.	3600	IN	A	127.0.0.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 6 msec
;; EDNS: version 0; flags: do ; udp: 65494
;; SERVER: 127.0.0.53
;; WHEN: Wed Jul 12 12:55:30 2023
;; MSG SIZE  rcvd: 60
; www.example.org.	3600	IN	A	127.0.0.1
Bad data; RR for name and type not found or failed to verify, and denial of existence failed.


# drill -k /var/lib/unbound/root.key -D example.org
;; Number of trusted keys: 1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45411
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; example.org.	IN	A

;; ANSWER SECTION:
example.org.	10501	IN	A	93.184.216.34
example.org.	10501	IN	RRSIG	A 13 2 86400 20230730225255 20230710002038 19897 example.org. 8cBc05Jk1h9pTPqfEvN4HPki3PPnoSbYUlz0INU6kQ+Tec+vYnbPcn6Nqy5fadmsLRzyyfTo6gJSky59hFONgw==

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 12 msec
;; EDNS: version 0; flags: do ; udp: 65494
;; SERVER: 127.0.0.53
;; WHEN: Wed Jul 12 12:56:01 2023
;; MSG SIZE  rcvd: 163
; example.org.	10501	IN	A	93.184.216.34
; No keys with the keytag and algorithm from the RRSIG found for id = 20326, owner = .

@keszybz @msekletar I would consider this high severity, unless DNSSEC can be not compiled in at all. This makes DNSSEC support just virtual and useless.

[pemensik]

Of course where signatures are not removed, it works fine. Of course ResolveUnicastSingleLabel=no is breaking validation from delv and others doing full verification from root.

# delv -t AAAA www.example.org @127.0.0.1
; fully validated
www.example.org.	43009	IN	AAAA	2606:2800:220:1:248:1893:25c8:1946
www.example.org.	43009	IN	RRSIG	AAAA 13 3 86400 20230730030327 20230709122038 19897 example.org. HPXAjF6ji9/BZ70QIFciHZFQ08ebcHFMC3wqmZDkCpLb6q1Zf+w11TcC qIFCscQlsNszkRhBjmmZwAZ67N+9Hw==
[root@rawhide ~]# delv -t AAAA www.example.org @127.0.0.53
;; broken trust chain resolving 'example.org/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'example.org/DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'www.example.org/AAAA/IN': 127.0.0.53#53
;; resolution failed: broken trust chain

[root@rawhide ~]# delv -t AAAA www.example.org @127.0.0.54
; fully validated
www.example.org.	42853	IN	AAAA	2606:2800:220:1:248:1893:25c8:1946
www.example.org.	42853	IN	RRSIG	AAAA 13 3 86400 20230730030327 20230709122038 19897 example.org. HPXAjF6ji9/BZ70QIFciHZFQ08ebcHFMC3wqmZDkCpLb6q1Zf+w11TcC qIFCscQlsNszkRhBjmmZwAZ67N+9Hw==

[root@rawhide ~]# resolvectl 
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub
       DNS Servers: 127.0.0.1

Link 2 (host0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 127.0.0.1
       DNS Servers: 127.0.0.1

[pemensik]

According to unbound logs, it did appropriate queries.

# journalctl -xeu unbound
Jul 12 12:36:08 rawhide unbound[1479]: [1479:0] info: start of service (unbound 1.17.1).
Jul 12 12:36:43 rawhide unbound[1479]: [1479:1] info: generate keytag query _ta-4f66. NULL IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:3] info: 127.0.0.1 www.example.org. A IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:0] info: 127.0.0.1 www.example.org. SOA IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:3] info: 127.0.0.1 example.org. DNSKEY IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:0] info: 127.0.0.1 www.example.org. DS IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:0] info: 127.0.0.1 example.org. DS IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:2] info: 127.0.0.1 example.org. SOA IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:3] info: 127.0.0.1 org. DNSKEY IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:3] info: 127.0.0.1 org. DS IN
Jul 12 13:16:29 rawhide unbound[1479]: [1479:1] info: 127.0.0.1 . DNSKEY IN

[root@rawhide ~]# delv +dnssec @localhost www.example.org ds
;; resolution failed: ncache nxrrset
; negative response, fully validated
; www.example.org.	4	IN	\-DS	;-$NXRRSET
; example.org. SOA ns.icann.org. noc.dns.icann.org. 2022091309 7200 3600 1209600 3600
; example.org. RRSIG SOA ...
; 2um39jhkjh9ji063sjoe2ojitictqjgq.example.org. NSEC3 1 0 5 CBC342D6EF20B86F SI4A4T6O7VP04OUCDB0Q9PI317K1UUC8 A TXT AAAA RRSIG
; 2um39jhkjh9ji063sjoe2ojitictqjgq.example.org. RRSIG NSEC3 ...

[root@rawhide ~]# delv +dnssec @localhost example.org dnskey
; fully validated
example.org.		2272	IN	DNSKEY	257 3 13 kRMX25/TJovOrsWq9Hv6QEFpzYsxItaOWPduFEwPz+5FM97SEHyCx+fc /XUN9gtktpXx45LAZpg/sFFEQH89og==  ; KSK; alg = ECDSAP256SHA256 ; key id = 22273
example.org.		2272	IN	DNSKEY	256 3 13 PznHCASFqSzeuHMYEdl6CauJtJUz6JbcyVYowRID9vN6Egsnn6NzhKbR RMReB6F0kXGy98LhiCn6TMG1W15nyA==  ; ZSK; alg = ECDSAP256SHA256 ; key id = 19897
example.org.		2272	IN	RRSIG	DNSKEY 13 2 3600 20230728174539 20230707221939 22273 example.org. uNx/5chJrQR1NqGNaEjrSN37rLafNCeZQPo7wlNbkGHIRhfV7QKpFVKM I0mJNPvmNIOFl0HEjMZQbaKu7LoYNg==

But it fails to deduce missing RRSIGs needs to be related to crytographic proof of DS record in its own zone or any of parent's. It is described in https://www.rfc-editor.org/rfc/rfc4035.html#section-5

The absence of DNSSEC data in a response MUST NOT by
itself be taken as an indication that no authentication information
exists.

A resolver SHOULD expect authentication information from signed
zones. A resolver SHOULD believe that a zone is signed if the
resolver has been configured with public key information for the
zone, or if the zone's parent is signed and the delegation from the
parent contains a DS RRset.

[pemensik]

It does not matter if I try that on zone (apex) name or any its member. If just example.org provides unsigned faked address, it will still be accepted by systemd-resolved, but correctly refused by other validating resolvers.

[pemensik]

@jacekmigacz might take a look too as well.

[evverx]

@pemensik just out of curiosity looking at the "rhel/downstream" label I wonder if RHEL is actually planning to include resolved in the foreseeable future?

FWIW this issue has been known since 2020: #15158