mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-25 02:42:33 -05:00
ff4201e388
BIND 9 will now treat the response as insecure when processing NSEC3 records with iterations larger than 50. Earlier, we limited the number of iterations to 150 (in #2445). RFC 9276 says: Because there has been a large growth of open (public) DNSSEC validating resolvers that are subject to compute resource constraints when handling requests from anonymous clients, this document recommends that validating resolvers reduce their iteration count limits over time. Specifically, validating resolver operators and validating resolver software implementers are encouraged to continue evaluating NSEC3 iteration count deployment trends and lower their acceptable iteration limits over time. After evaluation, we decided that the next major BIND release should lower the maximum allowed NSEC3 iterations to 50, which should be fine for 99,87% of the domain names. |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| dnssec-cds.c | ||
| dnssec-cds.rst | ||
| dnssec-dsfromkey.c | ||
| dnssec-dsfromkey.rst | ||
| dnssec-importkey.c | ||
| dnssec-importkey.rst | ||
| dnssec-keyfromlabel.c | ||
| dnssec-keyfromlabel.rst | ||
| dnssec-keygen.c | ||
| dnssec-keygen.rst | ||
| dnssec-revoke.c | ||
| dnssec-revoke.rst | ||
| dnssec-settime.c | ||
| dnssec-settime.rst | ||
| dnssec-signzone.c | ||
| dnssec-signzone.rst | ||
| dnssec-verify.c | ||
| dnssec-verify.rst | ||
| dnssectool.c | ||
| dnssectool.h | ||
| Makefile.am | ||