From 5c6b8a58ae73e0da3929cffe9081a701578067fd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 8 Apr 2024 16:54:37 +0200 Subject: Adding debian version 5.6.0-1+deb12u1. Signed-off-by: Daniel Baumann --- ...or-lower-the-NSEC3-iteration-limit-150-50.patch | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch (limited to 'debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch') diff --git a/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch new file mode 100644 index 0000000..90137eb --- /dev/null +++ b/debian/patches/0001-validator-lower-the-NSEC3-iteration-limit-150-50.patch @@ -0,0 +1,32 @@ +From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= +Date: Tue, 2 Jan 2024 10:05:28 +0100 +Subject: validator: lower the NSEC3 iteration limit (150 -> 50) + +Also done by BIND9 >= 9.19.19: +https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515 + +The latest real-life measurements show that values above 50 are rare: +https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze +--- + lib/dnssec/nsec3.h | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h +index eb0bd39..723dc4a 100644 +--- a/lib/dnssec/nsec3.h ++++ b/lib/dnssec/nsec3.h +@@ -11,12 +11,9 @@ + * ...so we avoid doing all the work. The value is a current compromise; + * zones shooting over get downgraded to insecure status. + * +- * Original restriction wasn't that strict: +- https://datatracker.ietf.org/doc/html/rfc5155#section-10.3 +- * but there is discussion about officially lowering the limits: +- https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3 ++ https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati + */ +-#define KR_NSEC3_MAX_ITERATIONS 150 ++#define KR_NSEC3_MAX_ITERATIONS 50 + + /** + * Name error response check (RFC5155 7.2.2). -- cgit v1.2.3