Commit Graph

1 Commits

Author SHA1 Message Date
Petr Menšík
02daaf1f3f [9.16] [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations
DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
validating resolver encountering such a delegation processed these
iterations up to the number given, which could be a maximum of 65,535.
This has been addressed by introducing a processing limit, set at 150.
Now, if such an NSEC3 record is encountered, the delegation will be
treated as insecure.

ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention.

Closes isc-projects/bind9#5708

Backport of MR !935

Resolves-Vulnerability: CVE-2026-1519
2026-04-17 12:53:16 +02:00