diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-07 01:21:00 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-11 19:39:58 +0100 |
commit | 3a33c81bfea2105c8086aadfe4e52415fa7b884e (patch) | |
tree | 1657b9441f2e8e01854c4fb631b51ac8098c4ea6 /src | |
parent | 81c5eb5b3dcaf889c678cd46b97e378e3be4743e (diff) |
resolved: fix NSEC3 iterations limit to what RFC5155 suggests
Diffstat (limited to 'src')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 51fe710795..04cd725e59 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -39,11 +39,13 @@ * - multi-label zone compatibility * - cname/dname compatibility * - nxdomain on qname - * - workable hack for the .corp, .home, .box case * - bus calls to override DNSEC setting per interface * - log all DNSSEC downgrades * - enable by default * + * - RFC 4035, Section 5.3.4 (When receiving a positive wildcard reply, use NSEC to ensure it actually really applies) + * - RFC 6840, Section 4.1 (ensure we don't get fed a glue NSEC from the parent zone) + * - RFC 6840, Section 4.3 (check for CNAME on NSEC too) * */ #define VERIFY_RRS_MAX 256 @@ -52,8 +54,8 @@ /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) -/* Maximum number of NSEC3 iterations we'll do. */ -#define NSEC3_ITERATIONS_MAX 2048 +/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */ +#define NSEC3_ITERATIONS_MAX 2500 /* * The DNSSEC Chain of trust: |