Detections
Analytics
DNSSEC NSEC Records
medium Nessus Plugin ID 59959
Language:
Synopsis
The remote host may disclose the hostnames of other systems.Description
The remote DNSSEC server uses NSEC records for negative answers to queries for its zone(s). NSEC records link to additional existing domains. These existing domains can be used to craft further queries that will lead to further NSEC records and thus further domains. This process can be repeated until all domains in the zone(s) are disclosed.Solution
Remove NSEC records for the affected zones and use an NSEC3 signing algorithm.See Also
http://blog.dest-unreach.be/2010/01/20/dnssec-the-nsec-and-nsec3-record
Plugin Details
Severity: Medium
ID: 59959
File Name: dnssec_nsec.nasl
Version: Revision: 1.2
Type: remote
Family: DNS
Published: 7/12/2012
Updated: 7/26/2012
Supported Sensors: Nessus
Vulnerability Information
Required KB Items: DNSSEC/udp/53, DNSSEC/zone