Skip to content

Threat model

DNSSEC threat model

Deny-by-default

Validation resolves to one of three RFC 4033 states. Anything that is not provably Secure or provably Insecure is Bogus. In particular, every one of these is rejected as bogus — never silently accepted:

Condition Outcome
Unknown / unsupported signing algorithm bogus
Unsupported DS digest type (SHA-1, GOST) bogus
Tampered / invalid RRSIG signature bogus
Expired or not-yet-valid RRSIG (outside its validity window) bogus
Broken DS → DNSKEY link (no zone key matches the parent's DS) bogus
Key-tag mismatch between RRSIG and DNSKEY bogus
Out-of-bailiwick signer (a zone signing a name it does not enclose) bogus
Answer record not owned by the queried name bogus
Wildcard answer without an authenticated no-closer-match proof bogus
Missing keys / missing signatures bogus
Empty answer with no signatures to prove absence bogus

Insecure is the only non-secure success. It requires a positive, authenticated NSEC/NSEC3 proof that a delegation genuinely carries no DS — a provably-unsigned zone, not merely a missing signature.

In-bailiwick enforcement (cross-zone forgery)

A signer zone is only accepted if it is a label-aligned ancestor of the name it signs (RFC 4035 §5.3.1). This closes a real class of attack: without it, any zone whose own chain validates could present a signature over a name it does not enclose and have it accepted. Concretely, evil.com is not in-bailiwick for notevil.com (suffix match must be on whole labels), and the root is in-bailiwick for everything.

This exact bypass — a cross-zone forgery where a validly-signed zone forged another zone's records — was found during pre-release adversarial review and is now closed, with a dedicated regression test. See Security.

Trust from cryptography, not transport

Because every signature is verified against a key anchored to the IANA root, the records themselves can be fetched over any transport (a plain recursive DO query, a fake) without weakening the result. The recursive resolver's AD bit is advisory only and never substitutes for chain validation.

Honest posture

  • The signature math is delegated to OpenSSL (RSA/ECDSA) and libsodium (Ed25519) — never bespoke crypto.
  • The module is tested against real captured signed-zone vectors and against self-signed chains from a test zone-signer, so both genuine and adversarial cases run offline.
  • It was adversarially security-reviewed before release (the cross-zone forgery above was found and fixed).

This is engineering care, not certification. The package has not had a formal third-party security audit and claims no conformance certification. Treat it accordingly, and report anything you find via GitHub Private Vulnerability Reporting.