Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver

Vulnerability

Description

The goresolver library, a DNSSEC validating resolver implemented in Go, does not validate that the owner name in an RRSIG record matches the queried domain name. According to the issue report [3], the library directly uses the RRSIG header name to fetch the corresponding DNSKEY and verify the chain of trust without checking equality with the original query domain. This omission allows an attacker to present a valid RRSIG from a domain they control for any other domain, bypassing DNSSEC authentication.

Exploitation

An attacker who controls a domain (e.g., pwn.com) can generate a valid RRSIG for a fake response set using their own DNSKEY. When a victim queries for records of another domain (e.g., example.com), the attacker can inject a response with the forged RRSIG. Because the library does not verify that the RRSIG owner name matches the queried domain, it will accept the RRSIG and proceed to validate using the attacker's DNSKEY, leading to false validation success [3].

Impact

Successful exploitation allows the attacker to cause the resolver to report successful DNSSEC validation for attacker-controlled records, effectively enabling DNS spoofing and cache poisoning even in DNSSEC-enabled zones. This undermines the security guarantees that DNSSEC is designed to provide [1][4].

Mitigation

As of the latest references, no fix has been released for this vulnerability. All versions of goresolver are affected, and the Go vulnerability database lists it with no known fixed version [4]. Users should avoid using the library for security-critical applications until a patch is available.