dnssec-policy: reduce NSEC3 iterations to 150 (!4952) · Merge requests · ISC Open Source Projects / BIND

Matthijs Mekking requested to merge matthijs-follow-up-2642-nsec3-iter-kasp into main Apr 29, 2021

When reducing the number of NSEC3 iterations to 150, commit aa26cde2 added tests for dnssec-policy to check that a too high iteration count is a configuration failure.

The test is not sufficient because 151 was always too high for ECDSAP256SHA256. The test should check for a different algorithm.

There was an existing test case that checks for NSEC3 iterations. Update the test with the new maximum values.

Update the code in 'kaspconf.c' to allow at most 150 iterations.

dnssec-policy: reduce NSEC3 iterations to 150

Merge request reports