From: Michał Kępień Date: Wed, 25 Mar 2026 09:15:37 +0000 (+0100) Subject: [9.16] [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating refer... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94ece263832ebd4777d4a227e3752c92305c109e;p=thirdparty%2Fbind9.git [9.16] [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove that certain delegations are insecure. Previously, a validating resolver encountering such a delegation processed these iterations up to the number given, which could be a maximum of 65,535. This has been addressed by introducing a processing limit, set at 150. Now, if such an NSEC3 record is encountered, the delegation will be treated as insecure. ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention. Closes isc-projects/bind9#5708 Backport of MR !935 Merge branch '5708-confidential-nsec3-delegation-iteration-fix-fallback-to-insecure-9.16' into 'bind-9.16-release' See merge request isc-private/bind9!955 --- 94ece263832ebd4777d4a227e3752c92305c109e