V-272396

Discussion

All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients.

Check Content

If this is an authoritative name server, this is not applicable.

Use command dig @<serverip> . ns and examine results.

Answer results
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
 
;; ADDITIONAL SECTION:
m.root-servers.net.     518400  IN      A       202.12.27.33
l.root-servers.net.     518400  IN      A       199.7.83.42
k.root-servers.net.     518400  IN      A       193.0.14.129
j.root-servers.net.     518400  IN      A       192.58.128.30
i.root-servers.net.     518400  IN      A       192.36.148.17
h.root-servers.net.     518400  IN      A       198.97.190.53
g.root-servers.net.     518400  IN      A       192.112.36.4
f.root-servers.net.     518400  IN      A       192.5.5.241
e.root-servers.net.     518400  IN      A       192.203.230.10
d.root-servers.net.     518400  IN      A       199.7.91.13
c.root-servers.net.     518400  IN      A       192.33.4.12
b.root-servers.net.     518400  IN      A       170.247.170.2
a.root-servers.net.     518400  IN      A       198.41.0.4
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
b.root-servers.net.     518400  IN      AAAA    2801:1b8:10::b
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30

If names and addresses do not match the current IANA list, this is a finding.

Perform command dig @<serverip> . dnskey +multi and examine results.

answer results
77555 IN DNSKEY 257 3 8 (
                                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                                ) ; KSK; alg = RSASHA256 ; key id = 20326
.                       77555 IN DNSKEY 256 3 8 (
                                AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU
                                9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRTA9+EYiQdXgWX
                                mXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlA
                                gWWiMNau54NI5sZ3iVQfhFsq2pZmf43RauRPniYMShOL
                                O7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNx
                                XzSEKS31ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqp
                                PPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZlcIM
                                tAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk=
                                ) ; ZSK; alg = RSASHA256 ; key id = 53148
.                       77555 IN DNSKEY 257 3 8 (
                                AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC
                                6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeH
                                spaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vr
                                hbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAx
                                m9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7
                                CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+
                                u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxP
                                vYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
                                ) ; KSK; alg = RSASHA256 ; key id = 38696

Note: May use "nslookup" as an alternative to "dig".

If the DNSSEC keys and root anchors do not match the IANA list, this is a finding.