2794. [bug] Reduce default NSEC3 iterations from 100 to 10.

[RT #19970]
2025-08-22 10:10:06 +00:00 · 2009-09-29 22:17:34 +00:00 · 2009-09-29 22:17:34 +00:00 · a93a66f618
commit a93a66f618
parent c300f45d7b
3 changed files with 13 additions and 10 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+2794.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
+			[RT #19970]
+
 2793.	[port]		Add some noreturn attributes. [RT #20257]

 2792.	[port]		win32: 32/64 bit cleanups. [RT #20335]
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@ -29,7 +29,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signzone.c,v 1.238 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-signzone.c,v 1.239 2009/09/29 22:17:34 each Exp $ */

 /*! \file */

@ -147,7 +147,7 @@ static dns_dbiterator_t *gdbiter;	/* The database iterator */
 static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 100U;
+static dns_iterations_t nsec3iter = 10U;
 static unsigned char saltbuf[255];
 static unsigned char *salt = saltbuf;
 static size_t salt_length = 0;
@ -3337,9 +3337,9 @@ usage(void) {
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
-	fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
-	fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
-	fprintf(stderr, "\t-A (NSEC3 optout)\n");
+	fprintf(stderr, "\t-3 NSEC3 salt\n");
+	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
+	fprintf(stderr, "\t-A NSEC3 optout\n");
 	fprintf(stderr, "\t-z:\t");
 	fprintf(stderr, "ignore KSK flag in DNSKEYs");

--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dnssec-signzone.docbook,v 1.37 2009/09/25 06:47:50 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
 <refentry id="man.dnssec-signzone">
  <refentryinfo>
    <date>June 05, 2009</date>
@ -552,7 +552,7 @@
        <term>-3 <replaceable class="parameter">salt</replaceable></term>
        <listitem>
          <para>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<replaceable class="parameter">salt</replaceable>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
          </para>
@ -563,8 +563,8 @@
        <term>-H <replaceable class="parameter">iterations</replaceable></term>
        <listitem>
          <para>
-	    When generating a NSEC3 chain use this many interations.  The
-	    default is 100.
+	    When generating an NSEC3 chain, use this many interations.  The
+	    default is 10.
          </para>
        </listitem>
      </varlistentry>
@ -573,7 +573,7 @@
        <term>-A</term>
        <listitem>
          <para>
-	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
          </para>