Zone Walking (Zone Enumeration via DNSSEC NSEC Records)
By Joe St. Sauver
An important capability of DNSSEC is the ability to authoritatively assert that a given domain name does NOT exist, as per Authenticated Denial of Existence in the DNS.
Originally this was done by leveraging NSEC records. However, as noted in section 3.4 of RFC7129:
There were two issues with NSEC (and NXT). The first is that it allows for zone walking. NSEC records point from one name to another; in our example: "example.org" points to "a.example.org", which points to "d.example.org", which points back to "example.org". So, we can reconstruct the entire "example.org" zone, thus defeating attempts to administratively block zone transfers ([RFC2065], Section 5.5).
The second issue is that when a large, delegation-centric ([RFC5155], Section 1.1) zone deploys DNSSEC, every name in the zone gets an NSEC plus RRSIG. [continues]
NSEC3 records were introduced as an alternative to NSEC records, and provide a way to (largely) mitigate this exposure.
The question we consider today is, "Do any zones still sign their zones with NSEC instead of NSEC3?"
Actually, yes, a surprisingly large number of them do.
II. Empirically Checking For NSEC Use
Once you've installed that software, the process of using it is trivial – you merely say:
$ ldns-walk domainname
For example, if you were to walk the KY TLD (no, that's not Kentucky or Kyrgyzstan, dot KY is the Cayman Islands, you'd get output that looks like:
$ ldns-walk ky ky. ky. NS SOA RRSIG NSEC DNSKEY 000.ky. NS RRSIG NSEC 100kids.ky. NS RRSIG NSEC 100men.ky. NS RRSIG NSEC 100women.ky. NS RRSIG NSEC 100womencayman.ky. NS RRSIG NSEC 1040.ky. NS RRSIG NSEC 111.ky. NS RRSIG NSEC 123.ky. NS RRSIG NSEC 1fifteen.ky. NS RRSIG NSEC 1rumpoint.ky. NS RRSIG NSEC 1uc.ky. NS RRSIG NSEC 200.ky. NS RRSIG NSEC 2017oldenbergltd.ky. NS RRSIG NSEC [etc]
If we discovered that a TLD used NSEC records, we walked the entire TLD.
TLDs which we found with more than a hundred NSEC-using domains are listed in the following table:
Table I. TLDs With One Hundred Or More NSEC-Secured Domains
2,557,983 us 2,118,203 co 2,070,537 biz 152,779 link 76,500 click 53,983 bg 29,354 lk 26,619 tn 24,784 help 24,768 lol 22,988 sexy 22,165 photo 10,768 pics 9,524 kg 8,107 audio 5,656 hosting 5,353 ky 3,451 mg 2,135 game 1,989 how 1,766 pr 1,373 hiphop 1,286 br 1,195 sl 392 auto 382 na 319 lr [other TLDs with a 100 or fewer records omitted]
We found that to be a unexpectedly large number of domains.
III. "So Are You Suggesting That Domains Shouldn't Do DNSSEC?"
No – the exact opposite in fact. Farsight strongly believe that all domains should use DNSSEC when possible, and Farsight uses DNSSEC for its own domains and has strong support for DNSSEC in DNSDB (our flagship passive DNS product). Everyone really should have the protection that DNSSEC offers.
IV. "So If A TLD (or 2nd-Level Domain) Is Going to Use DNSSEC, Should It Be Using NSEC3 Instead of NSEC?"
Not necessarily – for example, Farsight itself uses NSEC (rather than NSEC3) to secure its domains, and yes, as a result, you can walk our domains. The company's perspective is that we've got nothing confidential in our publicly-available authoritative DNS, and so we make an informed decision to use NSEC rather than NSEC3.
You (or the TLDs you use) may feel differently – most TLDs block zone transfers, for example, and in that case it might make sense to use NSEC3 rather than NSEC to secure that TLD against being zone walked.
V. "What About Privacy? Zone Walking Feels As If It Encroaches on Domain Owner Privacy!"
Privacy is important, and something that Farsight takes very seriously. However, we agree with the fundamental conclusion quoted here – the mere ability to get a list of domain names does not compromise a domain owner's privacy.
Given the contentious European General Data Protection Regulations, and its potential for catastrophic restrictions on access to Whois information, we will refrain from comment on the remainder of the NLnet Labs' DNSSEC statement as it relates to Whois data, except to say that we believe continued access to Domain Whois and IP Whois is absolutely critical to maintaining a workable, transparent, accountable, and usable Internet.
We hope you've found this an interesting topic to explore. If you'd like to know more about how Farsight Security's DNSDB service can help you leverage DNS data in your investigations, including DNSSEC-related DNS records, feel free to contact Farsight Security, Inc..
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.