Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by ciphernest7 - 01.07.2026
Last edited by cbay - 02.07.2026

FS#359 - DNSSEC Misconfiguration

Description: The DNSSEC (Domain Name System Security Extensions) configuration for the domain alwaysdata.com contains critical misconfigurations. DNSSEC is designed to safeguard DNS data from attacks such as cache poisoning and man-in-the-middle (MITM) by ensuring authentication and data integrity through digital signatures.

However, the current implementation for alwaysdata.com is incomplete and improperly configured, rendering DNSSEC ineffective and exposing the domain to potential exploitation.

Findings: Upon detailed analysis of the domain’s DNS records, the following issues were identified:

Unsigned DS Records: The Delegation Signer (DS) records in the parent zone are not correctly signed, breaking the essential chain of trust required for DNSSEC validation. Properly signed DS records are necessary to ensure the integrity of DNS queries.

Invalid RRSIG Records: Several Resource Record Signature (RRSIG) entries in the DNS zone are invalid, indicating key management or signing process failures. These invalid signatures compromise the authenticity and integrity guarantees provided by DNSSEC.

DNSKEY Mismatch: A mismatch exists between the DNSKEY records in the domain’s DNSKEY RRset and those provided in the delegation response from the parent zone. This inconsistency weakens the DNSSEC chain of trust, making the domain susceptible to tampering.

Steps to Reproduce:

Navigate to the DNSSEC debugging tool: https://dnssec-debugger.verisignlabs.com

Enter the domain alwaysdata.com for analysis.

Observe the red-highlighted errors indicating DNSSEC misconfigurations and missing or invalid DNSSEC records.

Impact: Due to these misconfigurations, the domain ballerina.io is vulnerable to several security risks, including:

DNS Cache Poisoning: Attackers can inject forged DNS responses, redirecting users to malicious sites.

Man-in-the-Middle Attacks: Without valid DNSSEC validation, attackers can intercept and alter DNS responses.

Domain Impersonation: Weak or broken DNSSEC allows attackers to impersonate legitimate services under the domain.

Data Tampering: DNS records could be modified, leading to data leaks or loss of service integrity.

Reputation Damage: A compromised DNS configuration undermines user trust and damages the organization’s credibility.

Closed by  cbay
02.07.2026 07:14
Reason for closing:  Invalid
Admin
cbay commented on 02.07.2026 07:14

Hello,

There's no misconfiguration: DNSSEC is simply not enabled on that domain. Many other very important domains (e.g. google.com or gmail.com) do not enable DNSSEC, that's not a vulnerability.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing