From: Otto Date: Tue, 25 May 2021 14:17:40 +0000 (+0200) Subject: Change nsec3-max-iterations default to 150 X-Git-Tag: auth-4.5.0-beta1~22^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10440%2Fhead;p=thirdparty%2Fpdns.git Change nsec3-max-iterations default to 150 --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index d5ff654fdf..c21a8a805a 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -5718,7 +5718,7 @@ int main(int argc, char **argv) ::arg().set("tcp-fast-open", "Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size")="0"; ::arg().set("tcp-fast-open-connect", "Enable TCP Fast Open support on outgoing sockets")="no"; - ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="2500"; + ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="150"; ::arg().set("cpu-map", "Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs")=""; diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 3beb32f2b9..7b18b624e2 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1363,11 +1363,15 @@ without consulting authoritative servers. .. versionadded:: 4.1.0 - Integer -- Default: 2500 +- Default: 150 Maximum number of iterations allowed for an NSEC3 record. If an answer containing an NSEC3 record with more iterations is received, its DNSSEC validation status is treated as Insecure. +.. versionchanged:: 4.6.0 + + Default is now 150, was 2500 before. + .. _setting-packetcache-ttl: ``packetcache-ttl`` diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 7bc05e4a1a..7c26187d29 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -4,9 +4,16 @@ Upgrade Guide Before upgrading, it is advised to read the :doc:`changelog/index`. When upgrading several versions, please read **all** notes applying to the upgrade. -4.4.x to 4.5.0 or master +4.5.x to 4.6.0 or master ------------------------ +Deprecated and changed settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +- The :ref:`setting-nsec3-max-iterations` default value has been changed from 2500 to 150. + +4.4.x to 4.5.1 +-------------- + Offensive language ^^^^^^^^^^^^^^^^^^ Synonyms for various settings names containing ``master``, ``slave``,