2794. [bug] Reduce default NSEC3 iterations from 100 to 10.

			[RT #19970]

diff --git a/CHANGES b/CHANGES
index 44304cf0625dfa00d985105cfb337d99735c50d4..aefcc840ffa2107dd3784fb8299ad00af1584e5e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2794.  [bug]           Reduce default NSEC3 iterations from 100 to 10.
+                       [RT #19970]
+
 2793.  [port]          Add some noreturn attributes. [RT #20257]
 
 2792.  [port]          win32: 32/64 bit cleanups. [RT #20335]

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 4e9ed949832527b7044d5831634bba7fee6ea1ac..cfa01f7811652b18170a667546658e6dc7b23b0a 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.238 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-signzone.c,v 1.239 2009/09/29 22:17:34 each Exp $ */
 
 /*! \file */
 
@@ -147,7 +147,7 @@ static dns_dbiterator_t *gdbiter;   /* The database iterator */
 static dns_rdataclass_t gclass;                /* The class */
 static dns_name_t *gorigin;            /* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 100U;
+static dns_iterations_t nsec3iter = 10U;
 static unsigned char saltbuf[255];
 static unsigned char *salt = saltbuf;
 static size_t salt_length = 0;
@@ -3337,9 +3337,9 @@ usage(void) {
        fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
        fprintf(stderr, "\t-k key_signing_key\n");
        fprintf(stderr, "\t-l lookasidezone\n");
-       fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
-       fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
-       fprintf(stderr, "\t-A (NSEC3 optout)\n");
+       fprintf(stderr, "\t-3 NSEC3 salt\n");
+       fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
+       fprintf(stderr, "\t-A NSEC3 optout\n");
        fprintf(stderr, "\t-z:\t");
        fprintf(stderr, "ignore KSK flag in DNSKEYs");
 

diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 75ac03e7dcf02be5d555e471d2721c4cfecf641b..9a3dc364ae8d8b796a0c1fa5ffca7552114a7b57 100644 (file)
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.37 2009/09/25 06:47:50 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -552,7 +552,7 @@
         <term>-3 <replaceable class="parameter">salt</replaceable></term>
         <listitem>
           <para>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
            A dash (<replaceable class="parameter">salt</replaceable>) can
            be used to indicate that no salt is to be used when generating                  the NSEC3 chain.
           </para>
@@ -563,8 +563,8 @@
         <term>-H <replaceable class="parameter">iterations</replaceable></term>
         <listitem>
           <para>
-           When generating a NSEC3 chain use this many interations.  The
-           default is 100.
+           When generating an NSEC3 chain, use this many interations.  The
+           default is 10.
           </para>
         </listitem>
       </varlistentry>
@@ -573,7 +573,7 @@
         <term>-A</term>
         <listitem>
           <para>
-           When generating a NSEC3 chain set the OPTOUT flag on all
+           When generating an NSEC3 chain set the OPTOUT flag on all
            NSEC3 records and do not generate NSEC3 records for insecure
            delegations.
           </para>