mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Reduce nsec3 max iterations to 150

Browse Source
This commit is contained in:
Mark Andrews
2021-04-19 16:32:54 +10:00
parent 51f94b8c7c
commit 29126500d2
6 changed files with 17 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/ns/update.c
View File

@@ -2007,7 +2007,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_difftuple_t *tuple;
bool nseconly = false, nsec3 = false;
isc_result_t result;
unsigned int iterations = 0, max;
unsigned int iterations = 0;
dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
@@ -2062,12 +2062,9 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
/* Verify NSEC3 params */
CHECK(get_iterations(db, ver, privatetype, &iterations));
CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
if (max != 0 && iterations > max) {
if (iterations > dns_nsec3_maxiterations()) {
update_log(client, zone, ISC_LOG_ERROR,
"too many NSEC3 iterations (%u) for "
"weakest DNSKEY (%u)",
iterations, max);
"too many NSEC3 iterations (%u)", iterations);
result = DNS_R_REFUSED;
goto failure;
}