ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

dnssec-policy: reduce NSEC3 iterations to 150

Browse Source 
When reducing the number of NSEC3 iterations to 150, commit
aa26cde2ae added tests for dnssec-policy
to check that a too high iteration count is a configuration failure.

The test is not sufficient because 151 was always too high for
ECDSAP256SHA256. The test should check for a different algorithm.

There was an existing test case that checks for NSEC3 iterations.
Update the test with the new maximum values.

Update the code in 'kaspconf.c' to allow at most 150 iterations.
This commit is contained in:
Matthijs Mekking
2021-04-29 09:54:51 +02:00
parent 0fd3c8e48b
commit efa5d84dcf
5 changed files with 6 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
View File

@@ -27,28 +27,28 @@ dnssec-policy "rsasha256" {
keys {
csk lifetime P10Y algorithm rsasha256 2048;
};
nsec3param iterations 500;
nsec3param iterations 150;
};
dnssec-policy "rsasha256-bad" {
keys {
csk lifetime P10Y algorithm rsasha256 2048;
};
nsec3param iterations 501;
nsec3param iterations 151;
};
dnssec-policy "rsasha512" {
keys {
csk lifetime P10Y algorithm rsasha512 4096;
};
nsec3param iterations 2500;
nsec3param iterations 150;
};
dnssec-policy "rsasha512-bad" {
keys {
csk lifetime P10Y algorithm rsasha512 4096;
};
nsec3param iterations 2501;
nsec3param iterations 151;
};
zone "example.net" {