Add release note and CHANGES for #4363

author Matthijs Mekking <matthijs@isc.org>

Wed, 22 Nov 2023 15:39:40 +0000 (16:39 +0100)

committer Matthijs Mekking <matthijs@isc.org>

Tue, 5 Dec 2023 14:58:58 +0000 (14:58 +0000)
author Matthijs Mekking <matthijs@isc.org>
Wed, 22 Nov 2023 15:39:40 +0000 (16:39 +0100)
committer Matthijs Mekking <matthijs@isc.org>
Tue, 5 Dec 2023 14:58:58 +0000 (14:58 +0000)
diff --git a/CHANGES b/CHANGES

index 06772c24e66020e329fe8852f916287a526f0f35..83590f84452ca11879315e9361086b05120c39ef 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6292.  [func]          Lower the maximum number of allowed NSEC3 iterations,
+                       from 150 to 50. DNSSEC responses with a higher
+                       iteration count are treated as insecure. For signing
+                       with dnssec-policy, iterations must be set to zero.
+                       [GL #4363]
+
  6291.  [bug]           SIGTERM failed to properly stop multiple outstanding
                         lookup in dig. [GL #4457]
  
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index 7c0b9b30dc618ef1378c11727f64daa30b480b0d..9bb024fe9b7fd1b164d03eaffa936bfa3bb19846 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -33,7 +33,12 @@ Removed Features
  Feature Changes
  ~~~~~~~~~~~~~~~
  
-- None.
+- The maximum number of allowed NSEC3 iterations for validation has been
+  lowered from 150 to 50. DNSSEC responses containing NSEC3 records with
+  iteration counts greater than 50 are now treated as insecure.  :gl:`#4363`
+
+- The number of NSEC3 iterations that can be configured for a zone must be 0.
+  :gl:`#4363`
  
  Bug Fixes
  ~~~~~~~~~
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 22 Nov 2023 15:39:40 +0000 (16:39 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Tue, 5 Dec 2023 14:58:58 +0000 (14:58 +0000)
CHANGES		patch \| blob \| blame \| history
doc/notes/notes-current.rst		patch \| blob \| blame \| history