git.ipfire.org Git - thirdparty/bind9.git/commit

]> git.ipfire.org Git - thirdparty/bind9.git/commit

projects / thirdparty / bind9.git / commit

author	Mark Andrews <marka@isc.org>
	Wed, 18 Feb 2026 01:30:22 +0000 (12:30 +1100)
committer	Ondřej Surý <ondrej@sury.org>
	Tue, 24 Feb 2026 13:57:22 +0000 (14:57 +0100)
commit	3801d0ebbf8da69077af84dae7f7ec23718b839b
tree	f3e76045338765878ce09b579a57ad0fb6592724	tree \| snapshot
parent	67b4fb56e40bf856e1fccd41e752d5f486b5b569	commit \| diff

Enforce NSEC3 record consistency

NSEC3 hashes are required to fit within a single DNS label. Since there
are 5 bits per label byte without pad characters, the maximum hash size
is floor(63*5/8) (39 bytes).

This patch enforces this maximum length for unknown algorithms, while
strictly enforcing the exact expected digest length for known algorithms
like SHA-1.

Mirror of https://gitlab.isc.org/isc-projects/bind9.git

RSS Atom

bin/tests/system/checkzone/zones/crashzone.db		diff \| blob \| blame \| history
lib/dns/include/dns/nsec3.h		diff \| blob \| blame \| history
lib/dns/rdata/generic/nsec3_50.c		diff \| blob \| blame \| history
lib/isc/include/isc/iterated_hash.h		diff \| blob \| blame \| history
tests/bench/iterated_hash.c		diff \| blob \| blame \| history