summaryrefslogtreecommitdiffstats
path: root/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch
new file mode 100644
index 0000000..90137eb
--- /dev/null
+++ b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
+Date: Tue, 2 Jan 2024 10:05:28 +0100
+Subject: validator: lower the NSEC3 iteration limit (150 -> 50)
+
+Also done by BIND9 >= 9.19.19:
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515
+
+The latest real-life measurements show that values above 50 are rare:
+https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze
+---
+ lib/dnssec/nsec3.h | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index eb0bd39..723dc4a 100644
+--- a/lib/dnssec/nsec3.h
++++ b/lib/dnssec/nsec3.h
+@@ -11,12 +11,9 @@
+ * ...so we avoid doing all the work. The value is a current compromise;
+ * zones shooting over get downgraded to insecure status.
+ *
+- * Original restriction wasn't that strict:
+- https://datatracker.ietf.org/doc/html/rfc5155#section-10.3
+- * but there is discussion about officially lowering the limits:
+- https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3
++ https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati
+ */
+-#define KR_NSEC3_MAX_ITERATIONS 150
++#define KR_NSEC3_MAX_ITERATIONS 50
+
+ /**
+ * Name error response check (RFC5155 7.2.2).