From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 22 Nov 2023 11:29:56 +0000 (+0100)
Subject: dnssec-policy: refuse to load non-zero iterations
X-Git-Tag: v9.19.19~13^2~5
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=75e0d394dd2147a0b07524521c084a71801e4eee;p=thirdparty%2Fbind9.git

dnssec-policy: refuse to load non-zero iterations

According to RFC 9276, if NSEC3 must be used, then an iterations count
of 0 MUST be used to alleviate computational burdens.
---

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 19365fdc064..861cf514b33 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -291,15 +291,12 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 		return (DNS_R_NSEC3BADALG);
 	}
 
-	if (iter > dns_nsec3_maxiterations()) {
-		ret = DNS_R_NSEC3ITERRANGE;
-	}
-
-	if (ret == DNS_R_NSEC3ITERRANGE) {
+	if (iter != DEFAULT_NSEC3PARAM_ITER) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "dnssec-policy: nsec3 iterations value %u "
-			    "out of range",
+			    "not allowed, must be zero",
 			    iter);
+		return (DNS_R_NSEC3ITERRANGE);
 		return (ret);
 	}