Actions
tickets #129694
openDNS NSEC Notification for opensuse.org
Start date:
2023-05-22
Due date:
% Done:
0%
Estimated time:
Description
The below was sent to postmaster@o.o by emailsecurity@notify.cispa.de
Hello,
as part of a study on email security and the support of OPENPGPKEY and SMIMEA mechanisms in particular, we analyzed the DNS zone of opensuse.org.
It came to our attention that the zone is supporting the NSEC mechanism for DNSSEC-authenticated denials of existence. Specifically, NSEC is known to allow third-parties to easily enumerate all records in a DNS zone. This can be used by attackers to gain valuable information about your network architecture and to launch targeted attacks against your infrastructure.
We therefore recommend switching to the NSEC3 record type. NSEC3 provides hashed versions of the record names, which increases the difficulty for attackers to enumerate your DNS zone. Additionally, NSEC3 allows for the use of a salt, which adds an extra layer of protection against pre-computed attacks.
To switch to NSEC3, you will need to modify your DNS configuration to include NSEC3 records instead of NSEC records. This can be done using your DNS management tools, and your DNS service provider should be able to assist you in making the necessary changes.
In case you have any questions or need any assistance, please do not hesitate to reply to this notification.
Kind regards,
Birk Blechschmidt
Updated by crameleon about 1 year ago
- Category set to Core services and virtual infrastructure
I know it's easy to do with PowerDNS, however I don't know about the Bind stuff we have in front of it.
Updated by crameleon 28 days ago ยท Edited
For testing, I enabled NSEC3 for opensuse.bar
. I mostly opted for settings recommended by RFC5155, the ISC and PowerDNS - which are SHA1 hashing, no opt-out, no salt, but one additional iteration. If I don't find any issues I'll roll it out to more zones and eventually to {,infra.}opensuse.org
.
Actions