From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= Date: Tue, 2 Jan 2024 10:05:28 +0100 Subject: validator: lower the NSEC3 iteration limit (150 -> 50) Also done by BIND9 >= 9.19.19: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515 The latest real-life measurements show that values above 50 are rare: https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze --- lib/dnssec/nsec3.h | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h index eb0bd39..723dc4a 100644 --- a/lib/dnssec/nsec3.h +++ b/lib/dnssec/nsec3.h @@ -11,12 +11,9 @@ * ...so we avoid doing all the work. The value is a current compromise; * zones shooting over get downgraded to insecure status. * - * Original restriction wasn't that strict: - https://datatracker.ietf.org/doc/html/rfc5155#section-10.3 - * but there is discussion about officially lowering the limits: - https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3 + https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati */ -#define KR_NSEC3_MAX_ITERATIONS 150 +#define KR_NSEC3_MAX_ITERATIONS 50 /** * Name error response check (RFC5155 7.2.2).