CVE-2022-3347: 
vulnerability analysis and mitigation

CVE-2022-3347 is a security vulnerability affecting the goresolver package where DNSSEC validation is not performed correctly. The vulnerability was disclosed and published on September 29, 2022. This flaw affects all versions of github.com/peterzen/goresolver with no known fixed versions (Go Vulnerability).

The vulnerability stems from improper validation of DNSSEC records. The RRSIG's header name, which specifies the signer of the signature record, is not properly verified against the FQDN of the querying domain name. The package uses the RRSIG header name directly for checking the chain of trust without validating its equality to the queried domain. Additionally, root DNSSEC public keys are not validated, which allows for the presentation of self-signed root keys and delegation chains (Go Vulnerability).

An attacker can exploit this vulnerability to cause the package to report successful validation for invalid, attacker-controlled records. For example, when a victim queries A records for example.com, an attacker who owns pwn.com can generate a signature for a fake RR response set using its valid DNSKEY and attach the RRSIG with a header name of pwn.com. Since the library doesn't verify the RRSIG header name, it will query DNSKEY for pwn.com and use that key to verify the RR set intended for example.com, resulting in a successful but fraudulent verification (GitHub Issue).