diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch new file mode 100644 index 0000000..90137eb --- /dev/null +++ b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch @@ -0,0 +1,32 @@ +From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz> +Date: Tue, 2 Jan 2024 10:05:28 +0100 +Subject: validator: lower the NSEC3 iteration limit (150 -> 50) + +Also done by BIND9 >= 9.19.19: +https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515 + +The latest real-life measurements show that values above 50 are rare: +https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze +--- + lib/dnssec/nsec3.h | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h +index eb0bd39..723dc4a 100644 +--- a/lib/dnssec/nsec3.h ++++ b/lib/dnssec/nsec3.h +@@ -11,12 +11,9 @@ + * ...so we avoid doing all the work. The value is a current compromise; + * zones shooting over get downgraded to insecure status. + * +- * Original restriction wasn't that strict: +- https://datatracker.ietf.org/doc/html/rfc5155#section-10.3 +- * but there is discussion about officially lowering the limits: +- https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3 ++ https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati + */ +-#define KR_NSEC3_MAX_ITERATIONS 150 ++#define KR_NSEC3_MAX_ITERATIONS 50 + + /** + * Name error response check (RFC5155 7.2.2). |