BIND DNS Denial of Service Vulnerability CVE-2026-1519 - Security Advisory TWA SEC 3661

TCPWave Security
Security Advisories
Date: March 25, 2026
Product

TCPWave Remote DNS Appliances using ISC BIND as a caching resolver.

Overview

A high-severity Denial of Service vulnerability (CVE-2026-1519) was publicly disclosed by the Internet Systems Consortium (ISC) on March 25, 2026, affecting ISC BIND 9.18.x. The vulnerability is triggered when a BIND resolver performs DNSSEC validation on a maliciously crafted zone containing excessive NSEC3 iterations. This causes heavy CPU resource consumption and a significant reduction in DNS query throughput, resulting in a remote Denial of Service condition. This advisory provides guidance on the impact and mitigation steps within TCPWave DDI deployments.

Impact

TCPWave Remote DNS appliances running ISC BIND as a caching resolver are affected by this vulnerability when all of the following conditions are met:

  • Recursion is enabled (recursion yes).
  • DNSSEC validation is active (dnssec-validation auto or yes).
  • The resolver is handling queries for public internet domains.

Authoritative-only DNS servers are NOT affected. Successful exploitation could result in CPU exhaustion and complete degradation of DNS resolution services.

Affected Versions

TCPWave Remote DNS Appliances:

  • v11.34P2C13 and earlier builds shipping BIND 9.18.0 - 9.18.46
  • v11.34
  • v11.33
  • v11.32
Workaround / Mitigation

Through CLI:

As an immediate mitigation, disable DNSSEC validation in the BIND configuration file (named.conf):

options {
    dnssec-validation no;
};

Then reload BIND without dropping active queries:

sudo rndc reload

Through GUI:

Network Management >> DNS Management >> DNS Templates >> While creating any appliance template >> Validate DNSSEC to No >> We cannot edit the existing default templates, it will be applicable only while creating new templates.

Note: Disabling DNSSEC validation reduces DNS security posture by removing cryptographic verification of DNS responses. This is a temporary measure only and should be reverted once the permanent fix is applied.

Resolution

TCPWave is actively working on upgrading ISC BIND to version 9.18.47, which includes the vendor-provided fix for this vulnerability. A patch release will be communicated once internal validation and QA is completed. Customers are advised to apply the mitigation above in the interim and await TCPWave's official fix before manually upgrading the BIND component.

Contact

For any clarifications or assistance, please contact TCPWave Technical Support: [email protected].

Want to secure your DNS? Then get started.
TCPWave Security