From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 25 Nov 2021 11:31:56 +0000 (+0100)
Subject: ldns-signzone warn about high NSEC iteration counts
X-Git-Tag: 1.8.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e15660331702a289f13d612e4bdd266c55e764e6;p=thirdparty%2Fldns.git

ldns-signzone warn about high NSEC iteration counts

For now just warning for possible consequences of hight counts according to:
https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance-03#section-4

Thanks Andreas Schulze
---

diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index d79852fe..9425833e 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -1027,6 +1027,23 @@ main(int argc, char *argv[])
 	added_rrs = ldns_rr_list_new();
 
 	if (use_nsec3) {
+		if (verbosity < 1)
+			; /* pass */
+
+		else if (nsec3_iterations > 500)
+			fprintf(stderr, "Warning! NSEC3 iterations larger than "
+			    "500 may cause validating resolvers to return "
+			    "SERVFAIL!\n"
+			    "See: https://datatracker.ietf.org/doc/html/"
+			    "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
+		else if (nsec3_iterations > 100)
+			fprintf(stderr, "Warning! NSEC3 iterations larger than "
+			    "100 may cause validating resolvers to return "
+			    "insecure responses!\n"
+			    "See: https://datatracker.ietf.org/doc/html/"
+			    "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
 		result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
 			added_rrs,
 			keys,