From 8f324b4717c273a0db8fff65b226ad1b7101aa7b Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 20 Oct 2021 16:36:11 +0200
Subject: [PATCH] Change nsec3param default to iter 0 salt-length 0

When using 'nsec3param' in 'dnssec-policy' and no specific parameters
are provided, default to zero additional iterations and no salt, as
recommended by draft-ietf-dnsop-nsec3-guidance.
---
 doc/arm/reference.rst | 2 +-
 lib/isccfg/kaspconf.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 07f793e731..3bc4439745 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5209,7 +5209,7 @@ The following options can be specified in a ``dnssec-policy`` statement:
 
     ::
 
-        nsec3param iterations 5 optout no salt-length 8;
+        nsec3param iterations 0 optout no salt-length 0;
 
     The default is to use NSEC.  The ``iterations``, ``optout`` and
     ``salt-length`` parts are optional, but if not set, the values in
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 95df080f31..e1e29cd7e1 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -30,8 +30,8 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 
-#define DEFAULT_NSEC3PARAM_ITER	   5
-#define DEFAULT_NSEC3PARAM_SALTLEN 8
+#define DEFAULT_NSEC3PARAM_ITER	   0
+#define DEFAULT_NSEC3PARAM_SALTLEN 0
 
 /*
  * Utility function for getting a configuration option.