From: Michał Kępień Date: Fri, 13 Mar 2026 12:16:28 +0000 (+0100) Subject: [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals... X-Git-Tag: v9.21.20~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=779463a703e109d2f65e9a09745bfebd2b9d4164;p=thirdparty%2Fbind9.git [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove that certain delegations are insecure. Previously, a validating resolver encountering such a delegation processed these iterations up to the number given, which could be a maximum of 65,535. This has been addressed by introducing a processing limit, set at 50. Now, if such an NSEC3 record is encountered, the delegation will be treated as insecure. ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention. Closes isc-projects/bind9#5708 Merge branch '5708-confidential-nsec3-delegation-iteration-fix-fallback-to-insecure' into 'v9.21.20-release' See merge request isc-private/bind9!935 --- 779463a703e109d2f65e9a09745bfebd2b9d4164