Merge branch 'matthijs-follow-up-2642-nsec3-iter-kasp' into 'main'

dnssec-policy: reduce NSEC3 iterations to 150

See merge request isc-projects/bind9!4952

bin/tests/system/checkconf/bad-kasp-iterations.conf

@@ -1,14 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-dnssec-policy too-many-iterations {
-	nsec3param iterations 151;
-};

bin/tests/system/checkconf/good-kasp-iterations.conf

@@ -1,14 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-dnssec-policy max-iterations {
-	nsec3param iterations 150;
-};

bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf

@@ -27,28 +27,28 @@ dnssec-policy "rsasha256" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 500;
+	nsec3param iterations 150;
 };
 
 dnssec-policy "rsasha256-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 501;
+	nsec3param iterations 151;
 };
 
 dnssec-policy "rsasha512" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 2500;
+	nsec3param iterations 150;
 };
 
 dnssec-policy "rsasha512-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 2501;
+	nsec3param iterations 151;
 };
 
 zone "example.net" {

bin/tests/system/checkconf/tests.sh

@@ -495,8 +495,6 @@ echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0
 $CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-policy: nsec3 iterations value 501 out of range" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-policy: nsec3 iterations value 2501 out of range" < checkconf.out$n > /dev/null || ret=1
 lines=$(wc -l < "checkconf.out$n")
 if [ $lines != 3 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi

lib/isccfg/kaspconf.c

@@ -22,6 +22,7 @@
 #include <dns/kasp.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
+#include <dns/nsec3.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
 
@@ -213,12 +214,7 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 		return (DNS_R_NSEC3BADALG);
 	}
 
-	/* See RFC 5155 Section 10.3 for iteration limits. */
-	if (min_keysize <= 1024 && iter > 150) {
-		ret = DNS_R_NSEC3ITERRANGE;
-	} else if (min_keysize <= 2048 && iter > 500) {
-		ret = DNS_R_NSEC3ITERRANGE;
-	} else if (min_keysize <= 4096 && iter > 2500) {
+	if (iter > dns_nsec3_maxiterations()) {
 		ret = DNS_R_NSEC3ITERRANGE;
 	}