Skip to content

dnssec-policy: reduce NSEC3 iterations to 150

Matthijs Mekking requested to merge matthijs-follow-up-2642-nsec3-iter-kasp into main

When reducing the number of NSEC3 iterations to 150, commit aa26cde2 added tests for dnssec-policy to check that a too high iteration count is a configuration failure.

The test is not sufficient because 151 was always too high for ECDSAP256SHA256. The test should check for a different algorithm.

There was an existing test case that checks for NSEC3 iterations. Update the test with the new maximum values.

Update the code in 'kaspconf.c' to allow at most 150 iterations.

Merge request reports