IETF-draft/wijngaardsについて、ここに記述してください。

https://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01

/3.3 Obtain Authoritative Data

1. 攻撃の例と、防御策(unbound)

4. Variants to Protect against

In the descriptions below a short title is given to quickly summarize the exploit.

The query 'q:' is what the attacker sends as fake question to the resolver to answer. The answer, authority 'auth:' and additional 'add:' sections list the content that the spoofer provides. The mitigation strategy, and sometimes discussion, is provided in the 'protected:' line.

The real target is example.com or www.example.com or ns1.example.com, which is the real nameserver for example.com here.

The domain evil.example.net is under control of the attacker and 192.0.2.66(evil) is an IP address under control of the attacker. The label 'bad123' is used in place of a label that the attacker varies every attempt to obtain new spoofing windows.

Glue with new DNS server

   q: bad123.example.com.
   answer: bad123.example.com. A whatever
   auth: example.com. NS evil.example.com.
   add: evil.example.com. A 192.0.2.66(evil)

Glue for DNS server

   q: bad123.example.com.
   answer: bad123.example.com. A whatever
   auth: example.com. NS ns1.example.com. (normal entry)
   add: ns1.example.com. A 192.0.2.66(evil)

Glue for Web server

   q: bad123.example.com.
   answer: bad123.example.com. A whatever
   auth: example.com. NS www.example.com.
   add: www.example.com. A 192.0.2.66(evil)

Glue smaller

   q: bad123.example.com.
   answer: bad123.example.com. A 192.0.2.66(evil)
   auth: example.com. NS bad123.example.com.

NS change

   q: bad123.example.com.
   answer: bad123.example.com. A whatever
   auth: example.com. NS evil.example.net.

NS server migration

   q: bad123.example.com.
   answer: bad123.example.com. A whatever
   auth: example.com. NS ns1.example.com. (normal entry)
   auth: example.com. NS ns2.example.com.evil.example.net.
         (evil, looks like typo in server migration)

CNAME

   q: bad123.example.com.
   answer: bad123.example.com. CNAME www.example.com.
   answer: www.example.com. A 192.0.2.66(evil)

DNAME one message

   q: www.bad123.example.com.
   answer: bad123.example.com. DNAME example.com.
   answer: www.bad123.example.com. CNAME www.example.com.
   answer: www.example.com. A 192.0.2.66(evil)

DNAME whole zone

   q: bad123.example.com.
   answer: example.com. DNAME evil.example.net.
   answer: bad123.example.com. CNAME bad123.evil.example.net.
   answer: bad123.evil.example.net. A whatever

New Delegation - rigged

   q: bad123.www.example.com.
   answer: (empty)
   auth: www.example.com. NS www.example.com.
   add: www.example.com. A 192.0.2.66(evil)

New Delegation - looks normal

   q: bad123.www.example.com.
   answer: (empty)
   auth: www.example.com. NS ns1.evil.example.net.
   auth: www.example.com. NS ns2.evil.example.net.

New Delegation - for glue

   q: bad123.example.com.
   answer: (empty)
   auth: bad123.example.com. NS ns1.example.com.
   additional:  ns1.example.com. A 192.0.2.66(evil)

Another hitherto unknown variation