From 5a5d565f00e3382d75dd37f999c11eb9d0cac8d2 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Thu, 1 Apr 2021 20:03:28 +0200 Subject: [PATCH] auth: lower max-nsec3-iterations to 100 --- docs/settings.rst | 5 ++++- docs/upgrading.rst | 1 + pdns/common_startup.cc | 2 +- pdns/dbdnsseckeeper.cc | 2 +- regression-tests.api/test_Zones.py | 4 ++-- 5 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/settings.rst b/docs/settings.rst index ed59c1f6af..ba875f02b2 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -1012,11 +1012,14 @@ means unlimited. ------------------------ - Integer -- Default: 500 +- Default: 100 Limit the number of NSEC3 hash iterations for zone configurations. For more information see :ref:`dnssec-operational-nsec-modes-params`. +.. note:: + Pre 4.5.0 the default was 500. + .. _setting-max-packet-cache-entries: ``max-packet-cache-entries`` diff --git a/docs/upgrading.rst b/docs/upgrading.rst index 3a9fffb23b..8e433279e5 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -41,6 +41,7 @@ Changed defaults ~~~~~~~~~~~~~~~~ - The default value of the ``consistent-backends`` option has been changed from ``no`` to ``yes``. +- The default value of the ``max-nsec3-iterations`` option has been changed from ``500`` to ``100``. - The default value of the ``timeout`` option for :ref:`ifportup` and :ref:`ifurlup` functions has been changed from ``1`` to ``2`` seconds. 4.3.x to 4.4.0 diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 176f480e0d..88963c2a46 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -222,7 +222,7 @@ void declareArguments() ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0"; ::arg().set("default-zsk-algorithm","Default ZSK algorithm")=""; ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0"; - ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 + ::arg().set("max-nsec3-iterations", "Limit the number of NSEC3 hash iterations") = "100"; ::arg().set("default-publish-cdnskey","Default value for PUBLISH-CDNSKEY")=""; ::arg().set("default-publish-cds","Default value for PUBLISH-CDS")=""; diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index a06846b54b..650580a53e 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -347,7 +347,7 @@ bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); if(ns3p) { *ns3p = NSEC3PARAMRecordContent(value); - if (ns3p->d_iterations > maxNSEC3Iterations) { + if (ns3p->d_iterations > maxNSEC3Iterations && !isPresigned(zname, useCache)) { ns3p->d_iterations = maxNSEC3Iterations; g_log<