validator: lower the NSEC3 iteration limit (150 -> 50)

Also done by BIND9 >= 9.19.19: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515 The latest real-life measurements show that values above 50 are rare: https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze
author: Vladimír Čunát <vladimir.cunat@nic.cz> 2024-01-02 10:05:28 +0100
committer: Vladimír Čunát <vladimir.cunat@nic.cz> 2024-02-12 11:19:37 +0100
commit: e966b7fdb167add0ec37c56a954c2d847f627985 (patch)
tree: 5bd16d9210e888f860b56402cfe6c1d1839454ee
parent: Merge branch 'pkg-bionic' into 'master' (diff)
download: knot-resolver-e966b7fdb167add0ec37c56a954c2d847f627985.tar.xz
knot-resolver-e966b7fdb167add0ec37c56a954c2d847f627985.zip
1 files changed, 2 insertions, 5 deletions
diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
index eb0bd397..723dc4a1 100644
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -11,12 +11,9 @@
  * ...so we avoid doing all the work.  The value is a current compromise;
  * zones shooting over get downgraded to insecure status.
  *
- * Original restriction wasn't that strict:
-   https://datatracker.ietf.org/doc/html/rfc5155#section-10.3
- * but there is discussion about officially lowering the limits:
-   https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3
+   https://datatracker.ietf.org/doc/html/rfc9276#name-recommendation-for-validati
  */
-#define KR_NSEC3_MAX_ITERATIONS 150
+#define KR_NSEC3_MAX_ITERATIONS 50
 
 /**
  * Name error response check (RFC5155 7.2.2).
author	Vladimír Čunát <vladimir.cunat@nic.cz>	2024-01-02 10:05:28 +0100
committer	Vladimír Čunát <vladimir.cunat@nic.cz>	2024-02-12 11:19:37 +0100
commit	e966b7fdb167add0ec37c56a954c2d847f627985 (patch)
tree	5bd16d9210e888f860b56402cfe6c1d1839454ee
parent	Merge branch 'pkg-bionic' into 'master' (diff)
download	knot-resolver-e966b7fdb167add0ec37c56a954c2d847f627985.tar.xz knot-resolver-e966b7fdb167add0ec37c56a954c2d847f627985.zip