+25 May 2021: Wouter
+ - Move the NSEC3 max iterations count in line with the 150 value
+ used by BIND, Knot and PowerDNS. This sets the default value
+ for it in the configuration to 150 for all key sizes.
+
21 May 2021: Wouter
- Test code has -q option for quiet output.
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
- # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+ # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
# if enabled, ZONEMD verification failures do not block the zone.
# zonemd-permissive-mode: no
.TP
.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
+by quotes. Default is "1024 150 2048 150 4096 150". This determines the
maximum allowed NSEC3 iteration count before a message is simply marked
insecure instead of performing the many hashing iterations. The list must
be in ascending order and have at least one entry. If you set it to
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
#endif
if(!(cfg->val_nsec3_key_iterations =
- strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
+ strdup("1024 150 2048 150 4096 150"))) goto error_exit;
#if defined(DNSTAP_SOCKET_PATH)
if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
goto error_exit;
projects / thirdparty / unbound.git / commitdiff
