Project

General

Profile

Actions

tickets #129694

open

DNS NSEC Notification for opensuse.org

Added by pjessen 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2023-05-22
Due date:
% Done:

0%

Estimated time:

Description

The below was sent to postmaster@o.o by emailsecurity@notify.cispa.de

Hello,
as part of a study on email security and the support of OPENPGPKEY and SMIMEA mechanisms in particular, we analyzed the DNS zone of opensuse.org.

It came to our attention that the zone is supporting the NSEC mechanism for DNSSEC-authenticated denials of existence. Specifically, NSEC is known to allow third-parties to easily enumerate all records in a DNS zone. This can be used by attackers to gain valuable information about your network architecture and to launch targeted attacks against your infrastructure.

We therefore recommend switching to the NSEC3 record type. NSEC3 provides hashed versions of the record names, which increases the difficulty for attackers to enumerate your DNS zone. Additionally, NSEC3 allows for the use of a salt, which adds an extra layer of protection against pre-computed attacks.

To switch to NSEC3, you will need to modify your DNS configuration to include NSEC3 records instead of NSEC records. This can be done using your DNS management tools, and your DNS service provider should be able to assist you in making the necessary changes.

In case you have any questions or need any assistance, please do not hesitate to reply to this notification.

Kind regards,
Birk Blechschmidt

Actions #1

Updated by crameleon 10 months ago

  • Category set to Core services and virtual infrastructure

I know it's easy to do with PowerDNS, however I don't know about the Bind stuff we have in front of it.

Actions #2

Updated by pjessen 10 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF