Lower the maximum allowed NSEC3 iterations to 50

BIND 9 will now treat the response as insecure when processing NSEC3 records with iterations larger than 50. Earlier, we limited the number of iterations to 150 (in #2445). RFC 9276 says: Because there has been a large growth of open (public) DNSSEC validating resolvers that are subject to compute resource constraints when handling requests from anonymous clients, this document recommends that validating resolvers reduce their iteration count limits over time. Specifically, validating resolver operators and validating resolver software implementers are encouraged to continue evaluating NSEC3 iteration count deployment trends and lower their acceptable iteration limits over time. After evaluation, we decided that the next major BIND release should lower the maximum allowed NSEC3 iterations to 50, which should be fine for 99,87% of the domain names.
2023-11-22 16:12:51 +01:00
parent 3c08fbc79f
commit ff4201e388
2 changed files with 2 additions and 2 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3494,7 +3494,7 @@ main(int argc, char *argv[]) {
 			set_iter = true;
 			/* too-many is NOT DOCUMENTED */
 			if (strcmp(isc_commandline_argument, "too-many") == 0) {
-				nsec3iter = 151;
+				nsec3iter = 51;
 				no_max_check = true;
 				break;
 			}
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -26,7 +26,7 @@
 #include <dns/types.h>

 #define DNS_NSEC3_SALTSIZE	255
-#define DNS_NSEC3_MAXITERATIONS 150U
+#define DNS_NSEC3_MAXITERATIONS 50U

 /*
 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)