Merge branch '4363-lower-max-nsec3-iterations' into 'main'

Lower NSEC3 iteration limit to 50 Closes #4363 See merge request isc-projects/bind9!8515
2025-08-30 22:15:20 +00:00 · 2023-12-05 14:59:48 +00:00
parent 336d99f121 a759f7f33c
commit e67bbe5c9a
19 changed files with 90 additions and 85 deletions
--- a/6
+++ b/6
@@ -1,3 +1,9 @@
+6292.	[func]		Lower the maximum number of allowed NSEC3 iterations,
+			from 150 to 50. DNSSEC responses with a higher
+			iteration count are treated as insecure. For signing
+			with dnssec-policy, iterations must be set to zero.
+			[GL #4363]
+
 6291.	[bug]		SIGTERM failed to properly stop multiple outstanding
 			lookup in dig. [GL #4457]

--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3494,7 +3494,7 @@ main(int argc, char *argv[]) {
 			set_iter = true;
 			/* too-many is NOT DOCUMENTED */
 			if (strcmp(isc_commandline_argument, "too-many") == 0) {
-				nsec3iter = 151;
+				nsec3iter = 51;
 				no_max_check = true;
 				break;
 			}
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -67,7 +67,7 @@ dnssec-policy "optout" {
 		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};

-	nsec3param iterations 1 optout yes salt-length 0;
+	nsec3param iterations 0 optout yes salt-length 0;
 };

 zone "." {
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1269,9 +1269,9 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

-echo_i "check removal of ENT NSEC3 records when opt out delegations are removed"
+echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
 zone=optout-with-ent
-hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
+hash=JE76PJ65FUO86UIR594L8P0SNJJ6RMNI

 # check that NSEC3 for ENT is present
 echo_i "check ENT NSEC3 is initially present"
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -29,7 +29,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
-	nsec3param iterations 5 optout no salt-length 8;
+	nsec3param iterations 0 optout no salt-length 8;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/bin/tests/system/checkconf/good-key-directory.conf
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@@ -17,7 +17,7 @@ dnssec-policy "internet" {
    zsk   key-directory   lifetime P90D        algorithm ecdsa256;
  };

-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };

 dnssec-policy "intranet" {
@@ -25,7 +25,7 @@ dnssec-policy "intranet" {
    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
  };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };

 dnssec-policy "localhost" {
@@ -33,7 +33,7 @@ dnssec-policy "localhost" {
    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
  };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };

 options {
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
@@ -15,28 +15,28 @@ dnssec-policy "rsasha256" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };

 dnssec-policy "rsasha256-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };

 dnssec-policy "rsasha512" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };

 dnssec-policy "rsasha512-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };

 zone "example.net" {
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -15,42 +15,42 @@ dnssec-policy "rsasha1" {
 	keys {
 		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };

 dnssec-policy "rsasha1-bad" {
 	keys {
 		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };

 dnssec-policy "rsasha256" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };

 dnssec-policy "rsasha256-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };

 dnssec-policy "rsasha512" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };

 dnssec-policy "rsasha512-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };

 zone "example.net" {
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -620,7 +620,7 @@ else
  expect=3
 fi
 $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1
 lines=$(wc -l <"checkconf.out$n")
 if [ $lines -ne $expect ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1467,7 +1467,7 @@ ret=0
 (
  cd signer/general || exit 0
  rm -f signed.zone
-  $SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone >signer.out.$n
+  $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n
  test -f signed.zone
 ) && ret=1
 n=$((n + 1))
@@ -1492,7 +1492,7 @@ ret=0
 (
  cd signer/general || exit 1
  rm -f signed.zone
-  $SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone >signer.out.$n
+  $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n
  test -f signed.zone
 ) || ret=1
 n=$((n + 1))
@@ -4317,8 +4317,8 @@ status=$((status + ret))

 echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
 ret=0
-grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
-grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns2/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 50" ns3/named.run >/dev/null 2>&1 || ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in
@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };

 dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 8;
+	nsec3param iterations 0 optout yes salt-length 8;
 };

 options {
--- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };

 dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 0;
+	nsec3param iterations 0 optout yes salt-length 8;
 };

 options {
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -46,12 +46,10 @@ set_zone_policy() {
  CDS_SHA256="yes"
  CDS_SHA384="no"
 }
-# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
-# salt length ($3).
+# Set expected NSEC3 parameters: flags ($1) and salt length ($2).
 set_nsec3param() {
  FLAGS=$1
-  ITERATIONS=$2
-  SALTLEN=$3
+  SALTLEN=$2
  # Reset salt.
  SALT=""
 }
@@ -102,7 +100,7 @@ set_key_states() {
 # The apex NSEC3PARAM record indicates that it is signed.
 _wait_for_nsec3param() {
  dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1
-  grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
+  grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
  grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
  return 0
 }
@@ -188,7 +186,7 @@ check_nsec() {
 # Test: check NSEC3 parameters in answers
 _check_nsec3_nsec3param() {
  dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
-  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
+  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1

  if [ -z "$SALT" ]; then
    SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
@@ -198,7 +196,7 @@ _check_nsec3_nsec3param() {

 _check_nsec3_nxdomain() {
  dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
-  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
+  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
  return 0
 }

@@ -206,14 +204,14 @@ check_nsec3() {
  wait_for_zone_is_signed "nsec3"

  n=$((n + 1))
-  echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
+  echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)"
  ret=0
  retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
  test "$ret" -eq 0 || echo_i "failed"
  status=$((status + ret))

  n=$((n + 1))
-  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)"
+  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)"
  ret=0
  retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
  test "$ret" -eq 0 || echo_i "failed"
@@ -277,21 +275,21 @@ fi

 # Zone: nsec3.kasp.
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-dynamic.kasp.
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-change.kasp.
 set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -316,49 +314,49 @@ retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zo

 # Zone: nsec3-dynamic-change.kasp.
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-dynamic-to-inline.kasp.
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-inline-to-dynamic.kasp.
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-to-optout.kasp.
 set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-from-optout.kasp.
 set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600
-set_nsec3param "1" "0" "0"
+set_nsec3param "1" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -403,7 +401,7 @@ rndc_reconfig ns3 10.53.0.3

 # Zone: nsec-to-nsec3.kasp. (reconfigured)
 set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -431,7 +429,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then

  # Zone: nsec3-to-rsasha1.kasp.
  set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
  set_server "ns3" "10.53.0.3"
  set_key_default_values "KEY1"
  set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
@@ -443,7 +441,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then

  # Zone: nsec3-to-rsasha1-ds.kasp.
  set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
  set_server "ns3" "10.53.0.3"
  set_key_default_values "KEY1"
  set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
@@ -457,21 +455,21 @@ fi

 # Zone: nsec3.kasp. (same)
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3

 # Zone: nsec3-dyamic.kasp. (same)
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3

 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -486,30 +484,36 @@ grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" >/dev/null ||
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+# Using rndc signing -nsec3param (should fail)
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3

 # Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3

 # Zone: nsec3-inline-to-dynamic.kasp. (same)
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3

 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec
@@ -519,7 +523,7 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600
-#set_nsec3param "1" "0" "0"
+#set_nsec3param "1" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
@@ -529,28 +533,21 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600
-#set_nsec3param "0" "0" "0"
+#set_nsec3param "0" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3

 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3

-# Using rndc signing -nsec3param (should fail)
-set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
-rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
-grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
-check_nsec3
-
 # Test NSEC3 and NSEC3PARAM is the same after restart
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} before restart"
 check_nsec3
@@ -570,7 +567,7 @@ status=$((status + ret))

 prevsalt="${SALT}"
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 SALT="${prevsalt}"
 echo_i "check zone ${ZONE} after restart has salt ${SALT}"
@@ -581,7 +578,7 @@ cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
 rndc_reload ns3 10.53.0.3

 set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reload"
 check_nsec3
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -433,7 +433,7 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null; then
    n=$((n + 1))
    ret=0
    echo_i "check for too many NSEC3 iterations log ($n)"
-    grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run >/dev/null || ret=1
+    grep "updating zone 'update.nil/IN': too many NSEC3 iterations (51)" ns1/named.run >/dev/null || ret=1
    [ $ret -eq 1 ] && {
      echo_i "failed"
      status=1
@@ -1899,9 +1899,9 @@ echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)
 $NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone example
-update add example 0 in NSEC3PARAM 1 0 151 -
+update add example 0 in NSEC3PARAM 1 0 51 -
 END
-grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1
+grep "NSEC3PARAM has excessive iterations (> 50)" nsupdate.out.test$n >/dev/null || ret=1
 [ $ret = 0 ] || {
  echo_i "failed"
  status=1
--- a/bin/tests/system/nsupdate/update_test.pl
+++ b/bin/tests/system/nsupdate/update_test.pl
@@ -417,8 +417,8 @@ if ($Net::DNS::VERSION < 1.01) {
    print "skipped Excessive NSEC3PARAM iterations; Net::DNS too old.\n";
 } else {
    section("Excessive NSEC3PARAM iterations");
-    test("REFUSED", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 151 -")]);
-    test("NOERROR", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 150 -")]);
+    test("REFUSED", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 51 -")]);
+    test("NOERROR", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 50 -")]);
 }

 if ($failures) {
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -33,7 +33,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~

- None.
+- The maximum number of allowed NSEC3 iterations for validation has been
+  lowered from 150 to 50. DNSSEC responses containing NSEC3 records with
+  iteration counts greater than 50 are now treated as insecure.  :gl:`#4363`
+
+- The number of NSEC3 iterations that can be configured for a zone must be 0.
+  :gl:`#4363`

 Bug Fixes
 ~~~~~~~~~
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -26,7 +26,7 @@
 #include <dns/types.h>

 #define DNS_NSEC3_SALTSIZE	255
-#define DNS_NSEC3_MAXITERATIONS 150U
+#define DNS_NSEC3_MAXITERATIONS 50U

 /*
 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -291,15 +291,12 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 		return (DNS_R_NSEC3BADALG);
 	}

-	if (iter > dns_nsec3_maxiterations()) {
-		ret = DNS_R_NSEC3ITERRANGE;
-	}
-
-	if (ret == DNS_R_NSEC3ITERRANGE) {
+	if (iter != DEFAULT_NSEC3PARAM_ITER) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "dnssec-policy: nsec3 iterations value %u "
-			    "out of range",
+			    "not allowed, must be zero",
 			    iter);
+		return (DNS_R_NSEC3ITERRANGE);
 		return (ret);
 	}

--- a/tests/dns/nsec3_test.c
+++ b/tests/dns/nsec3_test.c
@@ -115,11 +115,11 @@ nsec3param_salttotext_test(const nsec3param_salttotext_test_params_t *params) {
 ISC_RUN_TEST_IMPL(max_iterations) {
 	UNUSED(state);

-	iteration_test(TESTS_DIR "/testdata/nsec3/1024.db", 150);
-	iteration_test(TESTS_DIR "/testdata/nsec3/2048.db", 150);
-	iteration_test(TESTS_DIR "/testdata/nsec3/4096.db", 150);
-	iteration_test(TESTS_DIR "/testdata/nsec3/min-1024.db", 150);
-	iteration_test(TESTS_DIR "/testdata/nsec3/min-2048.db", 150);
+	iteration_test(TESTS_DIR "/testdata/nsec3/1024.db", 50);
+	iteration_test(TESTS_DIR "/testdata/nsec3/2048.db", 50);
+	iteration_test(TESTS_DIR "/testdata/nsec3/4096.db", 50);
+	iteration_test(TESTS_DIR "/testdata/nsec3/min-1024.db", 50);
+	iteration_test(TESTS_DIR "/testdata/nsec3/min-2048.db", 50);
 }

 /* check dns_nsec3param_salttotext() */