dnssec-policy: reduce NSEC3 iterations to 150

When reducing the number of NSEC3 iterations to 150, commit aa26cde2ae added tests for dnssec-policy to check that a too high iteration count is a configuration failure. The test is not sufficient because 151 was always too high for ECDSAP256SHA256. The test should check for a different algorithm. There was an existing test case that checks for NSEC3 iterations. Update the test with the new maximum values. Update the code in 'kaspconf.c' to allow at most 150 iterations.
2021-04-29 09:54:51 +02:00
parent 0fd3c8e48b
commit efa5d84dcf
5 changed files with 6 additions and 40 deletions
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -495,8 +495,6 @@ echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0
 $CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-policy: nsec3 iterations value 501 out of range" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-policy: nsec3 iterations value 2501 out of range" < checkconf.out$n > /dev/null || ret=1
 lines=$(wc -l < "checkconf.out$n")
 if [ $lines != 3 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi