It's always amusing when someone discovers DNS TXT records. ClamAV has been using them to announce the latest versions for more years than I care to remember.
clamav.net, like most domains, doesn't enable DNSSEC. Further, as designed, local resolvers don't validate DNSSEC, they just ask the recursive resolver to; a MITM between the local and the recursive can lie.
So when wikipedia says DNSSEC can protect, that's the permissive can. Like things can happen. But don't rely on it.
No, stub resolvers are supposed to, and often do validate DNSSEC signatures. DNSSEC is designed so that validation should happen whenever any DNS data is received over the network.
Wrong (EDIT: oops, I am wrong) current.cvd.clamav.net is (EDIT:) NOT currently DNSSEC-signed.
Just that their dnsquery() via freshclam daemon is not using val_res_query() when pulling in the version number, so it is unverified DNS querying going on … over there.
The best-resourced, most widely respected security teams on the Internet tend strongly not to enable DNSSEC or advocate for its adoption, mostly because it doesn't solve meaningful problems.
It would still be prone to DoS though. The request is unencrypted so a MITM could just not respond to those requests. This would effectively block clients from being able to update/get new definitions.
You don't even need an intentionally evil man in the middle: I can't imagine wanting to block something critical like AV updates on ordinary DNS TTLs, much less the long tail of DNS resolvers that have subtly broken caching strategies of one kind or another and sometimes get the TTLs wrong.
An hour or two may be a huge difference in preventing a viral spread, but at least in my experience is it is tough to rely on DNS propagation below the hour line. Seems like an odd technical choice to me.
"So a man in the middle could prevent updates from happening, and freshclam wouldn't even throw a warning?"
And yet it "works" and as the OP mentioned for a long time. Often we get so conditioned to a security response we forget that basic security often relies upon a "simple" and inexpensive solution. Using DNS in this way is a best effort scenario that offloads work to servers designed for this purpose and for an open source project so you use what you have.
Oh, and there is a failover to https if the record is over three hours old.
well, that would be the fault of clamav if they did not do the proper DNSSEC verification and validation of their ‘current.cvd.clamav.net’ hostname.
Digging into the code of freshclam, source of libfreshclam.c, dnsquery() function call, it is painfully evident that freshclam daemon does not do basic DNSSEC when performing res_query().
Instead, freshclam should be calling `val_res_query()`.
This is extremely misleading. The source data is the problem here, no account is taken about what constitutes a "school shooting". For example, if someone parks in a school parking lot at midnight and discharges a weapon, that is counted as a "school shooting" because it's on school grounds. In reality it's not what anyone considers to be a school shooting, and none of the school children are affected.
Lots of shootings happen in the parking lot at high school football games, one woman got shot outside an early learning center in a domestic dispute and that too is included as a "school shooting". There are many other incidents like these which are not what we know as "school shootings" but are included in some school shooting data sites.
The problem is serious enough and there is no need to add hype to it by using poor source data. All you do is create the opportunity for counter-arguments that have nothing to do with the actual issues.
If you click on the "Three." that will take you to my source. These are school shootings, not mass shootings. "School shootings", by my definition, are shootings that happened at a school. Would you like to propose an alternative definition?
Yes, I looked at your source data. I mentioned one case of a woman being shot outside an early learning center in a domestic dispute. That is clearly not a "school shooting". You need to understand the source data before trying to represent it in a meaningful fashion.
If a "school shooting" happens outside a school when there are no children actually in school at the time (during vacation for example), how many children are actually affected?
If a shooting happens in a school parking lot at 3:00 am because two people decided to meet there for a drug deal and it went bad, is that really a school shooting?
If you want to go with a simplistic "it happened on school property", then maybe we should be tracking "grocery store shootings", "nail salon shootings" and "corner of 3rd avenue and West Isles street shootings"?
When the term "school shooting" is used it connotes something very serious that has an impact on parents and children alike, society in general has an idea of what is meant by "school shooting" and to ignore that to keep it simple, merely exacerbates the problem and like I said, opens up the opportunity for argument that distracts from the very serious nature of the issues at hand.
$ dig +short -t txt current.cvd.clamav.net "0.103.8:62:26972:1689593340:1:90:49192:334"
For anyone interested, Freshclam interprets this as:
Latest ClamAV version: 0.103.8 Latest Main DB version: 62 Latest Daily DB version: 26972 UNIX Timestamp 1689593340
...and then some other version numbers and things I don't remember, one is probably a bytecode DB version 334, f-level 90 maybe.
Anyway, nothing new, works as designed. You can do all kinds of neat tricks with it. DNS has a lot going on that most people don't (ab)use.