DNSSEC NSEC Records

medium Nessus Plugin ID 59959

Synopsis

The remote host may disclose the hostnames of other systems.

Description

The remote DNSSEC server uses NSEC records for negative answers to queries for its zone(s). NSEC records link to additional existing domains. These existing domains can be used to craft further queries that will lead to further NSEC records and thus further domains. This process can be repeated until all domains in the zone(s) are disclosed.

Solution

Remove NSEC records for the affected zones and use an NSEC3 signing algorithm.

See Also

http://blog.dest-unreach.be/2010/01/20/dnssec-the-nsec-and-nsec3-record

Plugin Details

Severity: Medium

ID: 59959

File Name: dnssec_nsec.nasl

Version: Revision: 1.2

Type: remote

Family: DNS

Published: 7/12/2012

Updated: 7/26/2012

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: DNSSEC/udp/53, DNSSEC/zone