mirror of
https://github.com/systemd/systemd
synced 2024-10-14 12:04:49 +00:00
resolved: fix NSEC3 iterations limit to what RFC5155 suggests
This commit is contained in:
parent
81c5eb5b3d
commit
3a33c81bfe
|
@ -39,11 +39,13 @@
|
||||||
* - multi-label zone compatibility
|
* - multi-label zone compatibility
|
||||||
* - cname/dname compatibility
|
* - cname/dname compatibility
|
||||||
* - nxdomain on qname
|
* - nxdomain on qname
|
||||||
* - workable hack for the .corp, .home, .box case
|
|
||||||
* - bus calls to override DNSEC setting per interface
|
* - bus calls to override DNSEC setting per interface
|
||||||
* - log all DNSSEC downgrades
|
* - log all DNSSEC downgrades
|
||||||
* - enable by default
|
* - enable by default
|
||||||
*
|
*
|
||||||
|
* - RFC 4035, Section 5.3.4 (When receiving a positive wildcard reply, use NSEC to ensure it actually really applies)
|
||||||
|
* - RFC 6840, Section 4.1 (ensure we don't get fed a glue NSEC from the parent zone)
|
||||||
|
* - RFC 6840, Section 4.3 (check for CNAME on NSEC too)
|
||||||
* */
|
* */
|
||||||
|
|
||||||
#define VERIFY_RRS_MAX 256
|
#define VERIFY_RRS_MAX 256
|
||||||
|
@ -52,8 +54,8 @@
|
||||||
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
|
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
|
||||||
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
|
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
|
||||||
|
|
||||||
/* Maximum number of NSEC3 iterations we'll do. */
|
/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
|
||||||
#define NSEC3_ITERATIONS_MAX 2048
|
#define NSEC3_ITERATIONS_MAX 2500
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The DNSSEC Chain of trust:
|
* The DNSSEC Chain of trust:
|
||||||
|
|
Loading…
Reference in a new issue