DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
validating resolver encountering such a delegation processed these
iterations up to the number given, which could be a maximum of 65,535.
This has been addressed by introducing a processing limit, set at 150.
Now, if such an NSEC3 record is encountered, the delegation will be
treated as insecure.
ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention.
Closes isc-projects/bind9#5708
Backport of MR !935
Merge branch '5708-confidential-nsec3-delegation-iteration-fix-fallback-to-insecure-9.16' into 'bind-9.16-release'
See merge request isc-private/bind9!955
projects / thirdparty / bind9.git / commitdiff
