From: Aram Sargsyan <aram@isc.org>
Date: Tue, 21 Jan 2025 13:44:09 +0000 (+0000)
Subject: Document sig0key-checks-limit and sig0message-checks-limit
X-Git-Tag: ondrej/lock-free-qpzone-reads-v1~43^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5861c10dfb3a704af189265f4bc0b01cdd86c562;p=thirdparty%2Fbind9.git

Document sig0key-checks-limit and sig0message-checks-limit
---

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 1af27775945..c4245cf869c 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3936,6 +3936,26 @@ system.
            2001:db8::100;
        };
 
+.. namedconf:statement:: sig0key-checks-limit
+   :tags: server
+   :short: Specifies the maximum number of SIG(0) keys to consider when trying to verify a message.
+
+   This is the maximum number of keys to consider for a SIG(0)-signed message
+   when trying to verify it. :iscman:`named` will parse the candidate keys and
+   check whether their key tag and algorithm matches with the expected one
+   before trying to verify the signature. If the limit is reached the message
+   verification fails. The value of ``0`` disables the limitation. The default
+   is ``16``.
+
+.. namedconf:statement:: sig0message-checks-limit
+   :tags: server
+   :short: Specifies the maximum number of matching SIG(0) keys to try to verify a message.
+
+   This is the maximum number of keys which (when correctly parsed and matched
+   against the expected key tag and algorithm) :iscman:`named` uses to verify
+   a SIG(0)-signed message. If the limit is reached the message verification
+   fails. The value of ``0`` disables the limitation. The default is ``2``.
+
 .. _intervals:
 
 Periodic Task Intervals