]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e0d0514) | patch
Enforce NSEC3 record consistency
authorMark Andrews <marka@isc.org>
Wed, 18 Feb 2026 01:30:22 +0000 (12:30 +1100)
committerOndřej Surý <ondrej@isc.org>
Tue, 24 Feb 2026 16:10:52 +0000 (17:10 +0100)
commitc88aa8a3808524f40f54cc9d398074cc24ea9150
tree67d1bd0a9ee9eed0848768aa369e0ef58ef03394tree | snapshot
parente0d05145e1e36ff4fdf7615f762f58f8000f44e7commit | diff
Enforce NSEC3 record consistency

NSEC3 hashes are required to fit within a single DNS label.  Since there
are 5 bits per label byte without pad characters, the maximum hash size
is floor(63*5/8) (39 bytes).

This patch enforces this maximum length for unknown algorithms, while
strictly enforcing the exact expected digest length for known algorithms
like SHA-1.

(cherry picked from commit 3801d0ebbf8da69077af84dae7f7ec23718b839b)
bin/tests/system/checkzone/zones/crashzone.db diff | blob | blame | history
lib/dns/include/dns/nsec3.h diff | blob | blame | history
lib/dns/rdata/generic/nsec3_50.c diff | blob | blame | history
lib/isc/include/isc/iterated_hash.h diff | blob | blame | history
tests/bench/iterated_hash.c diff | blob | blame | history
Mirror of https://gitlab.isc.org/isc-projects/bind9.git