Security Advisory Description The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868) Impact Unbound A remote attacker may be able to trigger high CPU consumption using Domain Name System Security Extensions (DNSSEC) responses, causing a denial-of-service (DoS) in validating resolvers. BIND There is no impact; F5 products are not affected by this vulnerability in default, standard, or recommended configurations. However, if the BIND configuration (named.conf) was modified to enable DNS recursion with the recursion yes; line added to the options section of your BIND configuration file, a remote attacker may be able to trigger high CPU consumption using DNSSEC responses, causing a DoS in validating…Read More