]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 336d99f)
dnssec-policy: refuse to load non-zero iterations
authorMatthijs Mekking <matthijs@isc.org>
Wed, 22 Nov 2023 11:29:56 +0000 (12:29 +0100)
committerMatthijs Mekking <matthijs@isc.org>
Tue, 5 Dec 2023 14:58:58 +0000 (14:58 +0000)
According to RFC 9276, if NSEC3 must be used, then an iterations count
of 0 MUST be used to alleviate computational burdens.

lib/isccfg/kaspconf.c patch | blob | blame | history

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 19365fdc0644fa15f7ddd4fcbbe04d36e23dba8a..861cf514b331fd5755fd6ed10f21fdad69e205cf 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -291,15 +291,12 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                return (DNS_R_NSEC3BADALG);
        }
 
-       if (iter > dns_nsec3_maxiterations()) {
-               ret = DNS_R_NSEC3ITERRANGE;
-       }
-
-       if (ret == DNS_R_NSEC3ITERRANGE) {
+       if (iter != DEFAULT_NSEC3PARAM_ITER) {
                cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                            "dnssec-policy: nsec3 iterations value %u "
-                           "out of range",
+                           "not allowed, must be zero",
                            iter);
+               return (DNS_R_NSEC3ITERRANGE);
                return (ret);
        }
 
Mirror of https://gitlab.isc.org/isc-projects/bind9.git