Change nsec3param default to iter 0 salt-length 0

When using 'nsec3param' in 'dnssec-policy' and no specific parameters
are provided, default to zero additional iterations and no salt, as
recommended by draft-ietf-dnsop-nsec3-guidance.

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 07f793e7318ca65055e51dd838871fcf71289acd..3bc44397453b6d72d5032e658d7f4d0ecb17554a 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5209,7 +5209,7 @@ The following options can be specified in a ``dnssec-policy`` statement:
 
     ::
 
-        nsec3param iterations 5 optout no salt-length 8;
+        nsec3param iterations 0 optout no salt-length 0;
 
     The default is to use NSEC.  The ``iterations``, ``optout`` and
     ``salt-length`` parts are optional, but if not set, the values in

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 95df080f31c65bdfe41d8f3884350f80ddb9e971..e1e29cd7e1e5ed450b5876dd7097143ac6af0e79 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -30,8 +30,8 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 
-#define DEFAULT_NSEC3PARAM_ITER           5
-#define DEFAULT_NSEC3PARAM_SALTLEN 8
+#define DEFAULT_NSEC3PARAM_ITER           0
+#define DEFAULT_NSEC3PARAM_SALTLEN 0
 
 /*
  * Utility function for getting a configuration option.