We forgot to update dnssec-signzone while updating KASP defaults.
Closes: #3395
Related: #2956
+5904. [func] Changed dnssec-signzone -H default to 0 additional
+ NSEC3 iterations. [GL #3395]
+
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
static dns_rdataclass_t gclass; /* The class */
static dns_name_t *gorigin; /* The database origin */
static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 10U;
+static dns_iterations_t nsec3iter = 0U;
static unsigned char saltbuf[255];
static unsigned char *gsalt = saltbuf;
static size_t salt_length = 0;
.. option:: -H iterations
This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
- is 10.
+ is 0.
.. option:: -A
.TP
.B \-H iterations
This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
-is 10.
+is 0.
.UNINDENT
.INDENT 0.0
.TP
Feature Changes
~~~~~~~~~~~~~~~
-- In order to reduce unnecessary memory consumption in the cache,
- NXDOMAIN records are no longer retained past the normal negative
- cache TTL, even if ``stale-cache-enable`` is set to ``yes``.
- :gl:`#3386`.
+- :option:The `dnssec-signzone -H` default value has been changed to 0 additional
+ NSEC3 iterations. This change aligns the :iscman:`dnssec-signzone` default with
+ the default used by the :ref:`dnssec-policy <dnssec_policy_grammar>` feature.
+ :gl:`#3395`
Bug Fixes
~~~~~~~~~