Abstract
This proposal replaces three DNSSEC oracle algorithms with newly deployed contracts to address the following two issues:
- feat: Replace EllipticCurve with EIP-7951 P-256 precompile for Algorithm 13
- RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation in ENS DNSSEC Oracle
Motivation
RSA Signature Forgery (Critical)
The RSASHA256Algorithm and RSASHA1Algorithm contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check whether the last 32 (or 20) bytes of the decrypted signature match the expected hash, ignoring the required padding format defined in RFC 3447. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3).
Two ENS-supported TLDs — .cc and .name — use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. The attack is permissionless, costs approximately 100k gas, and is difficult to detect as the forged proofs appear legitimate. Remediation requires governance intervention.
This vulnerability class has resulted in critical CVEs in other systems (CVE-2006-4339 in OpenSSL, CVE-2014-1568 in NSS, CVE-2016-1494 in python-rsa).
P-256 Precompile Upgrade (Gas Optimization)
The current P256SHA256Algorithm contract uses a Solidity-based EllipticCurve library for signature verification, consuming approximately 200,000+ gas per operation. EIP-7951 introduces a native P-256 precompile (at address 0x100) which reduces this to approximately 3,500 gas — a ~98% reduction. This upgrade takes advantage of the precompile available after the Fusaka hardfork.
Specification
Description
And newly deployed contract information is as follows
- RSASHA1_ADDRESS = 0x58E0383E21f25DaB957F6664240445A514E9f5e8
- RSASHA256_ADDRESS = 0xaee0E2c4d5AB2fc164C8b0Cc8D3118C1c752C95E
- P256SHA256_ADDRESS = 0xB091C4F6FAc16eDDA5Ee1E0f4738f80011905878
Steps overview are as follows
- 1-3. DNSSECImpl:
setAlgorithmof RSASHA1, RSASHA256 (RSA Signature Forgery patch), P256SHA256 (Using p-256 precompile) to newly deployed contracts - 4-5. Root:
setSubnodeOwnerofccandnameto 0 - 6-7: DNSRegistrar: Call
enableNodefor .cc and .name to re-enable them for DNSSEC.
DNSSEC_IMPL_ADDRESS=0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5 ROOT_ADDRESS=0xaB528d626EC275E3faD363fF1393A41F581c5897 DNS_REGISTRAR_ADDRESS = 0xB32cB5677a7C971689228EC835800432B339bA2B
Transactions Summary
This proposal contains 7 transaction(s) to be executed by the ENS DAO Timelock.
| # | Contract | Function | Description |
|---|---|---|---|
| 1 | DNSSECImpl | setAlgorithm | Set Algorithm of RSASHA1 to new address |
| 2 | DNSSECImpl | setAlgorithm | Set Algorithm of RSASHA256 to new address |
| 3 | DNSSECImpl | setAlgorithm | Set Algorithm of P256SHA256 to new address |
| 4 | Root | setSubnodeOwner | Set owner of cc to 0 |
| 5 | Root | setSubnodeOwner | Set owner of name to 0 |
| 6 | DNSRegistrar | enableNode | Re-enable cc for DNSSEC |
| 7 | DNSRegistrar | enableNode | Re-enable name for DNSSEC |
Detailed Transaction Information
Transaction 1: Set Algorithm of RSASHA1 to new address
Target: DNSSECImpl
Address: 0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5
Function: setAlgorithm
Parameters:
id: 5algo:0x58E0383E21f25DaB957F6664240445A514E9f5e8
Encoded Calldata: 0x020ed8d3000000000000000000000000000000000000000000000000000000000000000500000000000000000000000058e0383e21f25dab957f6664240445a514e9f5e8
Transaction 2: Set Algorithm of RSASHA256 to new address
Target: DNSSECImpl
Address: 0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5
Function: setAlgorithm
Parameters:
id: 8algo:0xaee0E2c4d5AB2fc164C8b0Cc8D3118C1c752C95E
Encoded Calldata: 0x020ed8d30000000000000000000000000000000000000000000000000000000000000008000000000000000000000000aee0e2c4d5ab2fc164c8b0cc8d3118c1c752c95e
Transaction 3: Set Algorithm of P256SHA256 to new address
Target: DNSSECImpl
Address: 0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5
Function: setAlgorithm
Parameters:
id: 13algo:0xB091C4F6FAc16eDDA5Ee1E0f4738f80011905878
Encoded Calldata: 0x020ed8d3000000000000000000000000000000000000000000000000000000000000000d000000000000000000000000b091c4f6fac16edda5ee1e0f4738f80011905878
Transaction 4: setSubnodeOwner of cc to 0
Target: Root
Address: 0xaB528d626EC275E3faD363fF1393A41F581c5897
Function: setSubnodeOwner
Parameters:
label:0x68ce0763ca729318b714b0cf33478e4e228e19f58aeaf12cfa1535c9d4bbcaf9owner:0x0000000000000000000000000000000000000000
Encoded Calldata: 0x8cb8ecec68ce0763ca729318b714b0cf33478e4e228e19f58aeaf12cfa1535c9d4bbcaf90000000000000000000000000000000000000000000000000000000000000000
Transaction 5: setSubnodeOwner of name back to DNS_REGISTRAR_ADDRESS
Target: Root
Address: 0xaB528d626EC275E3faD363fF1393A41F581c5897
Function: setSubnodeOwner
Parameters:
label:0x2361458367e696363fbcc70777d07ebbd2394e89fd0adcaf147faccd1d294d60owner:0x0000000000000000000000000000000000000000
Encoded Calldata: 0x8cb8ecec2361458367e696363fbcc70777d07ebbd2394e89fd0adcaf147faccd1d294d600000000000000000000000000000000000000000000000000000000000000000
Transaction 6: Re-enable cc for DNSSEC
Target: DNSRegistrar
Address: 0xB32cB5677a7C971689228EC835800432B339bA2B
Function: enableNode
Parameters:
domain:0x02636300
Encoded Calldata: 0x6f951221000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000040263630000000000000000000000000000000000000000000000000000000000
Transaction 7: Re-enable name for DNSSEC
Target: DNSRegistrar
Address: 0xB32cB5677a7C971689228EC835800432B339bA2B
Function: enableNode
Parameters:
domain:0x046e616d6500
Encoded Calldata: 0x6f95122100000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000006046e616d65000000000000000000000000000000000000000000000000000000
