tickets #129694


DNS NSEC Notification for

Added by pjessen about 1 year ago. Updated about 1 month ago.

In Progress
Target version:
Start date:
Due date:
% Done:


Estimated time:


The below was sent to postmaster@o.o by

as part of a study on email security and the support of OPENPGPKEY and SMIMEA mechanisms in particular, we analyzed the DNS zone of

It came to our attention that the zone is supporting the NSEC mechanism for DNSSEC-authenticated denials of existence. Specifically, NSEC is known to allow third-parties to easily enumerate all records in a DNS zone. This can be used by attackers to gain valuable information about your network architecture and to launch targeted attacks against your infrastructure.

We therefore recommend switching to the NSEC3 record type. NSEC3 provides hashed versions of the record names, which increases the difficulty for attackers to enumerate your DNS zone. Additionally, NSEC3 allows for the use of a salt, which adds an extra layer of protection against pre-computed attacks.

To switch to NSEC3, you will need to modify your DNS configuration to include NSEC3 records instead of NSEC records. This can be done using your DNS management tools, and your DNS service provider should be able to assist you in making the necessary changes.

In case you have any questions or need any assistance, please do not hesitate to reply to this notification.

Kind regards,
Birk Blechschmidt

Actions #1

Updated by crameleon about 1 year ago

  • Category set to Core services and virtual infrastructure

I know it's easy to do with PowerDNS, however I don't know about the Bind stuff we have in front of it.

Actions #2

Updated by pjessen about 1 year ago

  • Private changed from Yes to No
Actions #3

Updated by crameleon about 1 month ago

  • Category changed from Core services and virtual infrastructure to DNS
  • Status changed from New to In Progress
  • Assignee set to crameleon
Actions #4

Updated by crameleon about 1 month ago ยท Edited

For testing, I enabled NSEC3 for I mostly opted for settings recommended by RFC5155, the ISC and PowerDNS - which are SHA1 hashing, no opt-out, no salt, but one additional iteration. If I don't find any issues I'll roll it out to more zones and eventually to {,infra.}


Also available in: Atom PDF