picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

resolved: fix NSEC3 iterations limit to what RFC5155 suggests

Browse source
This commit is contained in:
Lennart Poettering 2016-01-07 01:21:00 +01:00
parent 81c5eb5b3d
commit 3a33c81bfe
1 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/resolve/resolved-dns-dnssec.c
View file

@ -39,11 +39,13 @@
* - multi-label zone compatibility * - multi-label zone compatibility
* - cname/dname compatibility * - cname/dname compatibility
* - nxdomain on qname * - nxdomain on qname
* - workable hack for the .corp, .home, .box case
* - bus calls to override DNSEC setting per interface * - bus calls to override DNSEC setting per interface
* - log all DNSSEC downgrades * - log all DNSSEC downgrades
* - enable by default * - enable by default
* *
* - RFC 4035, Section 5.3.4 (When receiving a positive wildcard reply, use NSEC to ensure it actually really applies)
* - RFC 6840, Section 4.1 (ensure we don't get fed a glue NSEC from the parent zone)
* - RFC 6840, Section 4.3 (check for CNAME on NSEC too)
* */ * */
#define VERIFY_RRS_MAX 256 #define VERIFY_RRS_MAX 256
@ -52,8 +54,8 @@
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
/* Maximum number of NSEC3 iterations we'll do. */ /* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
#define NSEC3_ITERATIONS_MAX 2048 #define NSEC3_ITERATIONS_MAX 2500
/* /*
* The DNSSEC Chain of trust: * The DNSSEC Chain of trust: