DNSSEC NSEC Records

medium Nessus Plugin ID 59959
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host may disclose the hostnames of other systems.

Description

The remote DNSSEC server uses NSEC records for negative answers to queries for its zone(s). NSEC records link to additional existing domains. These existing domains can be used to craft further queries that will lead to further NSEC records and thus further domains. This process can be repeated until all domains in the zone(s) are disclosed.

Solution

Remove NSEC records for the affected zones and use an NSEC3 signing algorithm.

See Also

http://blog.dest-unreach.be/2010/01/20/dnssec-the-nsec-and-nsec3-record

Plugin Details

Severity: Medium

ID: 59959

File Name: dnssec_nsec.nasl

Version: Revision: 1.2

Type: remote

Family: DNS

Published: 7/12/2012

Updated: 7/26/2012

Dependencies: dnssec_resolver.nasl

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: DNSSEC/udp/53, DNSSEC/zone