From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 25 May 2021 12:35:19 +0000 (+0200)
Subject: - Move the NSEC3 max iterations count in line with the 150 value
X-Git-Tag: release-1.13.2rc1~164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11b3ebc3869480dec06264cef7b6a7b5f4e22a47;p=thirdparty%2Funbound.git

- Move the NSEC3 max iterations count in line with the 150 value
  used by BIND, Knot and PowerDNS. This sets the default value
  for it in the configuration to 150 for all key sizes.
---

diff --git a/doc/Changelog b/doc/Changelog
index fec5e9ab4..7e0383db3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+25 May 2021: Wouter
+	- Move the NSEC3 max iterations count in line with the 150 value
+	  used by BIND, Knot and PowerDNS. This sets the default value
+	  for it in the configuration to 150 for all key sizes.
+
 21 May 2021: Wouter
 	- Test code has -q option for quiet output.
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index f968184a9..96eeebd59 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -614,7 +614,7 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
 
 	# if enabled, ZONEMD verification failures do not block the zone.
 	# zonemd-permissive-mode: no
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 9aa12c65c..efd17c0de 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1215,7 +1215,7 @@ Default is "no".
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
+by quotes. Default is "1024 150 2048 150 4096 150". This determines the
 maximum allowed NSEC3 iteration count before a message is simply marked
 insecure instead of performing the many hashing iterations. The list must
 be in ascending order and have at least one entry. If you set it to
diff --git a/util/config_file.c b/util/config_file.c
index 1d6374156..341978d97 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -309,7 +309,7 @@ config_create(void)
 	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 #endif
 	if(!(cfg->val_nsec3_key_iterations = 
-		strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
+		strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)
 	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 		goto error_exit;