From a93a66f61872a92ef4a272ca998aaff954ab4fed Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 29 Sep 2009 22:17:34 +0000
Subject: [PATCH] 2794.	[bug]		Reduce default NSEC3 iterations from
 100 to 10. 			[RT #19970]

---
 CHANGES                            |  3 +++
 bin/dnssec/dnssec-signzone.c       | 10 +++++-----
 bin/dnssec/dnssec-signzone.docbook | 10 +++++-----
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 44304cf062..aefcc840ff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2794.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
+			[RT #19970]
+
 2793.	[port]		Add some noreturn attributes. [RT #20257]
 
 2792.	[port]		win32: 32/64 bit cleanups. [RT #20335]
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 4e9ed94983..cfa01f7811 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.238 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-signzone.c,v 1.239 2009/09/29 22:17:34 each Exp $ */
 
 /*! \file */
 
@@ -147,7 +147,7 @@ static dns_dbiterator_t *gdbiter;	/* The database iterator */
 static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
 static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 100U;
+static dns_iterations_t nsec3iter = 10U;
 static unsigned char saltbuf[255];
 static unsigned char *salt = saltbuf;
 static size_t salt_length = 0;
@@ -3337,9 +3337,9 @@ usage(void) {
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
-	fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
-	fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
-	fprintf(stderr, "\t-A (NSEC3 optout)\n");
+	fprintf(stderr, "\t-3 NSEC3 salt\n");
+	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
+	fprintf(stderr, "\t-A NSEC3 optout\n");
 	fprintf(stderr, "\t-z:\t");
 	fprintf(stderr, "ignore KSK flag in DNSKEYs");
 
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 75ac03e7dc..9a3dc364ae 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.37 2009/09/25 06:47:50 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -552,7 +552,7 @@
         <term>-3 <replaceable class="parameter">salt</replaceable></term>
         <listitem>
           <para>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<replaceable class="parameter">salt</replaceable>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
           </para>
@@ -563,8 +563,8 @@
         <term>-H <replaceable class="parameter">iterations</replaceable></term>
         <listitem>
           <para>
-	    When generating a NSEC3 chain use this many interations.  The
-	    default is 100.
+	    When generating an NSEC3 chain, use this many interations.  The
+	    default is 10.
           </para>
         </listitem>
       </varlistentry>
@@ -573,7 +573,7 @@
         <term>-A</term>
         <listitem>
           <para>
-	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </para>