From 2a93a7c4fe2be264268bf18f3267ad8f89b665d4 Mon Sep 17 00:00:00 2001 From: Otto Date: Tue, 25 May 2021 16:17:40 +0200 Subject: [PATCH] Change nsec3-max-iterations default to 150 --- pdns/pdns_recursor.cc | 2 +- pdns/recursordist/docs/settings.rst | 6 +++++- pdns/recursordist/docs/upgrade.rst | 9 ++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index d5ff654fdf..c21a8a805a 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -5718,7 +5718,7 @@ int main(int argc, char **argv) ::arg().set("tcp-fast-open", "Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size")="0"; ::arg().set("tcp-fast-open-connect", "Enable TCP Fast Open support on outgoing sockets")="no"; - ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="2500"; + ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="150"; ::arg().set("cpu-map", "Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs")=""; diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 3beb32f2b9..7b18b624e2 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1363,11 +1363,15 @@ without consulting authoritative servers. .. versionadded:: 4.1.0 - Integer -- Default: 2500 +- Default: 150 Maximum number of iterations allowed for an NSEC3 record. If an answer containing an NSEC3 record with more iterations is received, its DNSSEC validation status is treated as Insecure. +.. versionchanged:: 4.6.0 + + Default is now 150, was 2500 before. + .. _setting-packetcache-ttl: ``packetcache-ttl`` diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 7bc05e4a1a..7c26187d29 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -4,9 +4,16 @@ Upgrade Guide Before upgrading, it is advised to read the :doc:`changelog/index`. When upgrading several versions, please read **all** notes applying to the upgrade. -4.4.x to 4.5.0 or master +4.5.x to 4.6.0 or master ------------------------ +Deprecated and changed settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +- The :ref:`setting-nsec3-max-iterations` default value has been changed from 2500 to 150. + +4.4.x to 4.5.1 +-------------- + Offensive language ^^^^^^^^^^^^^^^^^^ Synonyms for various settings names containing ``master``, ``slave``, -- 2.47.2