::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().set("include-dir","Include *.conf files from this directory");
}
if(value.empty()) { // "no NSEC3"
return false;
}
-
+
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) {
NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
*ns3p = *tmp;
delete tmp;
+ if (ns3p->d_iterations > maxNSEC3Iterations) {
+ ns3p->d_iterations = maxNSEC3Iterations;
+ L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
+ }
}
if(narrow) {
getFromMeta(zname, "NSEC3NARROW", value);
bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
{
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
+ if (ns3p.d_iterations > maxNSEC3Iterations)
+ throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
+
clearCaches(zname);
string descr = ns3p.getZoneRepresentation();
vector<string> meta;
#
# max-ent-entries=100000
+#################################
+# max-nsec3-iterations Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("module-dir","Default directory for modules")=LIBDIR;
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().laxFile(configname.c_str());
BackendMakers().launch(::arg()["launch"]); // vrooooom!
projects / thirdparty / pdns.git / commitdiff
