Posting date: 28 September 2021
Program impacted: BIND
Versions affected: All versions of BIND that support DNSSEC zone signing
This notification describes a recommended change in DNSSEC practice
relating to authoritative zones that are DNSSEC-signed using NSEC3.
Although we are issuing this advisory to users of BIND, the advice
therein is also applicable to authoritative zone operators using other
DNSSEC-signed zones offer protection against response spoofing to both
DNSSEC-validating resolvers and authoritative DNS zone operators who
choose to sign their published zones.
NSEC and NSEC3 are the mechanisms within DNSSEC used to provide proof of
non-existence of names. This is achieved by a DNSSEC-signed assurance
that between two signed names, no other names exist.
NSEC3 uses hash mechanisms to avoid disclosure of the bounding names
themselves, otherwise it is possible to establish a list of all names in
a zone by 'walking' the non-existence bounds chain (NSEC). NSEC3 records
are created by first hashing the input domain and then repeating that
hashing algorithm a number of times based on the iterations parameter in
the NSEC3PARM and NSEC3 records.
The use of non-zero NSEC3 iterations is largely now held to be
ineffectual against a determined attacker. Furthermore, the use of NSEC3
iterations impose a significant computational overhead on
DNSSEC-processing. Updated best practice guidance for NSEC3 is to select
an iteration value of 0 (in other words, use no additional hash iterations).
BIND and other DNS resolver implementations are being updated to treat
DNSSEC-signed zones as insecure (unsigned) if the zone operator is using
NSEC3 with greater than 150 iterations.
For more information and additional references, see ISC KB article
Operators of DNSSEC-signed authoritative zones using NSEC3 iterations
greater than 150 will weaken rather than strengthen their zone's DNSSEC
Review your DNSSEC implementation. If you are maintaining DNSSEC-signed
zones using NSEC3 with iterations greater than 150 and prefer not to
follow updated best practice guidance to use a value of 0 (no additional
hash iterations beyond the first one), then to ensure that your zone is
still secure, reduce the iterations to a value less than 150 so that
DNSSEC-validating resolvers do not downgrade responses from your zone's
servers to insecure (unsigned).
Note: The validation limit on NSEC3 additional hash iterations has been
set at 150 in 2021, but may be further reduced in future years.
BIND Administrator Reference Manual section on DNSSEC.
ISC KB article
Do you still have questions? Questions regarding this advisory should go
to security-offi...@isc.org. To report a new issue, please encrypt your
message using security-offi...@isc.org's PGP key which can be found
here: https://www.isc.org/pgpkey/. If you are unable to use encrypted
email, you may also report new issues at: https://www.isc.org/reportbug/.
ISC patches only currently supported versions. When possible we indicate
EOL versions affected. (For current information on which versions are
actively supported, please see https://www.isc.org/download/.)
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability Disclosure
Policy at https://kb.isc.org/docs/aa-00861.
Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use or reliance on this notice or
materials referred to in this notice is at your own risk. ISC may change
this notice at any time. A stand-alone copy or paraphrase of the text of
this document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of date, or
contain factual errors.
Everett B. Fulton
bind-announce mailing list