From e15660331702a289f13d612e4bdd266c55e764e6 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 25 Nov 2021 12:31:56 +0100
Subject: [PATCH] ldns-signzone warn about high NSEC iteration counts

For now just warning for possible consequences of hight counts according to:
https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance-03#section-4

Thanks Andreas Schulze
---
 examples/ldns-signzone.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index d79852fe..9425833e 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -1027,6 +1027,23 @@ main(int argc, char *argv[])
 	added_rrs = ldns_rr_list_new();
 
 	if (use_nsec3) {
+		if (verbosity < 1)
+			; /* pass */
+
+		else if (nsec3_iterations > 500)
+			fprintf(stderr, "Warning! NSEC3 iterations larger than "
+			    "500 may cause validating resolvers to return "
+			    "SERVFAIL!\n"
+			    "See: https://datatracker.ietf.org/doc/html/"
+			    "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
+		else if (nsec3_iterations > 100)
+			fprintf(stderr, "Warning! NSEC3 iterations larger than "
+			    "100 may cause validating resolvers to return "
+			    "insecure responses!\n"
+			    "See: https://datatracker.ietf.org/doc/html/"
+			    "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
+
 		result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
 			added_rrs,
 			keys,
-- 
2.47.3