Zone Dumping via DNSSEC

Would you store sensitive data in an unauthenticated, unencrypted, globally-distributed database? I wouldn't, but best-practice or not, sysadmins store... interesting things in DNS records. Even with clean DNS records, it's still best practice to harden your DNS servers to prevent zone transferring from unauthorised sources lest someone obtain a dump of every record for your domain:

Most reputable companies block zone transfers, so adversaries need to solicit records with methods such as brute-forcing, using wordlists, certificate transparency logs, APIs... Whilst this may recover many records:

But what if I told you there is a guaranteed way to retrieve the zone for all[1] DNSSEC domains - even if they're impervious to AXFR zone transfers? Would you like a zone dump of paypal.com, accenture.com, stanford.edu, fbi.gov...?

Firstly, DNSSEC (DNS Security) is a misnomer, a better name is DNSAUTH (DNS Authentication) because the long and short of it is that DNSSEC signs records verifiable through a chain of trust. DNSSEC is not encryption. One issue the implementors grappled with is how do you a sign the response to a query for a record that doesn't exist?

Leave a Comment