For "Check for CNAME":


For example, an attacker takes this original response:
[NOTE: this isn't an actual response.  BIND and NSD both return
different authority sections.  So, it is possible that normally an
attacker would also have to somehow get the www.example.com NSEC
record.  This isn't hard, but would make this example harder to describe]

  RCODE: NOERROR
  ;; QUESTION SECTION
  ;www.example.com. IN AAAA

  ;; ANSWER SECTION:
  www.example.com. IN CNAME example.org.
  www.example.com. IN RRSIG CNAME ...

  ;; AUTHORITY SECTION:
  example.com. IN SOA ...
  example.com. IN RRSIG SOA ..
  www.example.com  IN NSEC x.example.com CNAME RRSIG
  www.example.com  IN RRSIG NSEC ...

And turns it into:

  RCODE: NOERROR
  ;; QUESTION SECTION
  ;www.example.com. IN AAAA

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:
  example.com. IN SOA ...
  example.com. IN RRSIG SOA ..
  www.example.com  IN NSEC x.example.com CNAME NSEC RRSIG
  www.example.com  IN RRSIG NSEC ...

A validator that does not follow this rule might consider this
response a valid NOERROR/NODATA response since the NSEC record proves
that www.example.com AAAA does not exist.


For Insecure Delegation Proofs:

For example, an attacker takes the original response:

  RCODE: NOERROR
  ;; QUESTION SECTION
  ;www.example.com. IN AAAA

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:
  example.com. IN SOA ...
  example.com. IN RRSIG SOA ..
  www.example.com  IN NSEC x.example.com A NSEC RRSIG
  www.example.com  IN RRSIG NSEC ...

And converts it into a spoofed delegation:

  RCODE: NOERROR
  ;; QUESTION SECTION
  ;www.example.com. IN AAAA

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:
  www.example.com. IN NS bad1.example.net.
  www.example.com. IN NS bad2.example.net.
  www.example.com  IN NSEC x.example.com A NSEC RRSIG
  www.example.com  IN RRSIG NSEC ...

A validator that does not follow this rule might consider this a valid delegation since the NSEC record proves that there is no DS record at www.example.com.