blob: 90137ebe28dd081e2ac7f3be37228af97e353488 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
Date: Tue, 2 Jan 2024 10:05:28 +0100
Subject: validator: lower the NSEC3 iteration limit (150 -> 50)
Also done by BIND9 >= 9.19.19:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515
The latest real-life measurements show that values above 50 are rare:
https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze
---
lib/dnssec/nsec3.h | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
index eb0bd39..723dc4a 100644
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -11,12 +11,9 @@
* ...so we avoid doing all the work. The value is a current compromise;
* zones shooting over get downgraded to insecure status.
*
- * Original restriction wasn't that strict:
- https://datatracker.ietf.org/doc/html/rfc5155#section-10.3
- * but there is discussion about officially lowering the limits:
- https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3
+ https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati
*/
-#define KR_NSEC3_MAX_ITERATIONS 150
+#define KR_NSEC3_MAX_ITERATIONS 50
/**
* Name error response check (RFC5155 7.2.2).
|