ldns-signzone warn about high NSEC iteration counts

For now just warning for possible consequences of hight counts according to:
https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance-03#section-4

Thanks Andreas Schulze

diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index d79852feb6dbc76385b105e11d55c78cba1f622e..9425833e53b69a0ca3520ee1800b8f905698abd7 100644 (file)
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -1027,6 +1027,23 @@ main(int argc, char *argv[])
        added_rrs = ldns_rr_list_new();
 
        if (use_nsec3) {
+               if (verbosity < 1)
+                       ; /* pass */
+
+               else if (nsec3_iterations > 500)
+                       fprintf(stderr, "Warning! NSEC3 iterations larger than "
+                           "500 may cause validating resolvers to return "
+                           "SERVFAIL!\n"
+                           "See: https://datatracker.ietf.org/doc/html/"
+                           "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
+               else if (nsec3_iterations > 100)
+                       fprintf(stderr, "Warning! NSEC3 iterations larger than "
+                           "100 may cause validating resolvers to return "
+                           "insecure responses!\n"
+                           "See: https://datatracker.ietf.org/doc/html/"
+                           "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
                result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
                        added_rrs,
                        keys,