1 files changed, 32 insertions, 0 deletions

diff --git a/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch
new file mode 100644
index 0000000..90137eb
--- /dev/null
+++ b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
+Date: Tue, 2 Jan 2024 10:05:28 +0100
+Subject: validator: lower the NSEC3 iteration limit (150 -> 50)
+
+Also done by BIND9 >= 9.19.19:
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515
+
+The latest real-life measurements show that values above 50 are rare:
+https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze
+---
+ lib/dnssec/nsec3.h | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index eb0bd39..723dc4a 100644
+--- a/lib/dnssec/nsec3.h
++++ b/lib/dnssec/nsec3.h
+@@ -11,12 +11,9 @@
+  * ...so we avoid doing all the work.  The value is a current compromise;
+  * zones shooting over get downgraded to insecure status.
+  *
+- * Original restriction wasn't that strict:
+-   https://datatracker.ietf.org/doc/html/rfc5155#section-10.3
+- * but there is discussion about officially lowering the limits:
+-   https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3
++   https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati
+  */
+-#define KR_NSEC3_MAX_ITERATIONS 150
++#define KR_NSEC3_MAX_ITERATIONS 50
+ 
+ /**
+  * Name error response check (RFC5155 7.2.2).