Skip to content

Commit

Permalink
resolved: reduce the maximum nsec3 iterations to 100
Browse files Browse the repository at this point in the history
According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.

(cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb)

Related: RHEL-26644
  • Loading branch information
jacekmigacz committed Feb 27, 2024
1 parent 811c030 commit 9597b18
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/resolve/resolved-dns-dnssec.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,9 @@
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)

/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
#define NSEC3_ITERATIONS_MAX 2500
/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but
* RFC9276 § 3.2 says that we should reduce the acceptable iteration count */
#define NSEC3_ITERATIONS_MAX 100

/*
* The DNSSEC Chain of trust:
Expand Down

0 comments on commit 9597b18

Please sign in to comment.