BIND 9 will now treat the response as insecure when processing NSEC3
records with iterations larger than 50.
Earlier, we limited the number of iterations to 150 (in #2445).
RFC 9276 says: Because there has been a large growth of open (public)
DNSSEC validating resolvers that are subject to compute resource
constraints when handling requests from anonymous clients, this
document recommends that validating resolvers reduce their iteration
count limits over time. Specifically, validating resolver operators and
validating resolver software implementers are encouraged to continue
evaluating NSEC3 iteration count deployment trends and lower their
acceptable iteration limits over time.
After evaluation, we decided that the next major BIND release should
lower the maximum allowed NSEC3 iterations to 50, which should be
fine for 99,87% of the domain names.
set_iter = true;
/* too-many is NOT DOCUMENTED */
if (strcmp(isc_commandline_argument, "too-many") == 0) {
- nsec3iter = 151;
+ nsec3iter = 51;
no_max_check = true;
break;
}
#include <dns/types.h>
#define DNS_NSEC3_SALTSIZE 255
-#define DNS_NSEC3_MAXITERATIONS 150U
+#define DNS_NSEC3_MAXITERATIONS 50U
/*
* hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
projects / thirdparty / bind9.git / commitdiff
