DNSSEC RFC 9276
I was having trouble to get thought dnsviz without error.
DNSViz show errors :
- NSEC3 proving non-existence of 8k16z.ov351.example.com/A: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
Reading the RFC : https://www.rfc-editor.org/rfc/rfc9276.html#section-3.1
If NSEC3 must be used, then an iterations count of 0 MUST be used to alleviate computational burdens. Note that extra iteration counts other than 0 increase the impact of CPU-exhausting DoS attacks, and also increase the risk of interoperability problems.
In short, for all zones, the recommended NSEC3 parameters are as shown below:
; SHA-1, no extra iterations, empty salt: ; bcp.example. IN NSEC3PARAM 1 0 0 -
I've been using 2 server in cluster (cPanel + cPanel DNSOnly) both using powerdns.
First, changing to an iterations of 0 is not supported via the set_nsec3_for_domains api. And it's not possible to remove hash. Not sure why, powerdns but support it.
Then changing any of the following api doesn't replicate on the other server which was a pain to debug until I realize :
-
Hey there! I did some research on this and found that we should be supporting iterations of 0 according to the RFC:
https://datatracker.ietf.org/doc/rfc9276/
Note that [RFC5155] describes the Iterations field as follows | The Iterations field defines the number of additional times the | hash function has been performed. This means that an NSEC3 record with an Iterations field of 0 actually requires one hash iteration.
I also confirmed that trying a value of 0 gives me the following error from the API call:
reason: "API failure: (XID 7sm6mf) “nsec3_iterations” must be a positive integer less than or equal to 2500."
I've created case CPANEL-45613 for our developers to look into this, and I'll be sure to post an update here if I hear back from them!
0 -
Hi,
Is there an update available on CPANEL-45613 ? This issue is currently affecting over 50 of my domains.
Thank you
0 -
I don't have any updates on this just yet but it is going to get discussed in a meeting next Friday.
0 -
i did want to let you know our developers are investigating the issue at this time - I'll post any other updates once I get them!
0
Please sign in to leave a comment.
Comments
4 comments