From 048d2a1c60c48842fc7cc4e01d76112f40dc371f Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 14 Oct 2025 16:53:53 +0200 Subject: [PATCH] feat(pdnsutil): Warn when NSEC3 iterations or salt are non-BCP Closes: #16212 --- pdns/pdnsutil.cc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index d9cc2251c6..9880df75a5 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -2,6 +2,7 @@ #include #include #include +#include #include //termios, TCSANOW, ECHO, ICANON #include #include @@ -942,6 +943,16 @@ static int checkZone(DNSSECKeeper &dk, UeberBackend &B, const ZoneName& zone, co cout<<"[Error] zone '" << zone << "' has NSEC3 semantics but is too long to have the hash prepended. Zone name is " << wirelength << " bytes long, whereas the maximum is 222 bytes." << endl; } + if (ns3pr.d_iterations > 0) { + numwarnings++; + cout<<"[Warning] zone '" << zone << "' has " << std::to_string(ns3pr.d_iterations) << " iterations configured for its NSEC3 parameter. 0 is the recommended value in RFC 9276." << endl; + } + + if (!ns3pr.d_salt.empty()) { + numwarnings++; + cout<<"[Warning] zone '" << zone << "' has a salt configured for its NSEC3 parameter. No salt ('-') is the recommended value in RFC 9276." << endl; + } + vector dbkeyset; B.getDomainKeys(zone, dbkeyset); @@ -4508,6 +4519,15 @@ static int setNsec3(vector& cmds, const std::string_view synopsis) DNSSECKeeper dk; //NOLINT(readability-identifier-length) ZoneName zone(cmds.at(0)); + + if (ns3pr.d_iterations > 0) { + cerr<<"[Warning] setting the number of iterations higher than 0 is not recommended by RFC 9276"<