From 0009836974f8c38c1edbc84b5ebeab37388ba392 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Tue, 7 Dec 2021 13:29:46 +0100
Subject: [PATCH] conf: change the default number of NSEC3 iterations to 0
---
doc/man/knot.conf.5in | 2 +-
doc/reference.rst | 2 +-
src/knot/conf/schema.c | 2 +-
tests-extra/tests/dnssec/no_resign/test.py | 1 +
tests-extra/tools/dnstest/server.py | 4 ++--
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 2584efb01a..df56ed6ff1 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1484,7 +1484,7 @@ Specifies if NSEC3 will be used instead of NSEC.
.sp
A number of additional times the hashing is performed.
.sp
-\fIDefault:\fP 10
+\fIDefault:\fP 0
.SS nsec3\-opt\-out
.sp
If set, NSEC3 records won\(aqt be created for insecure delegations.
diff --git a/doc/reference.rst b/doc/reference.rst
index be1c86c11f..515981a8c3 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1613,7 +1613,7 @@ nsec3-iterations
A number of additional times the hashing is performed.
-*Default:* 10
+*Default:* 0
.. _policy_nsec3-opt-out:
diff --git a/src/knot/conf/schema.c b/src/knot/conf/schema.c
index 44eb9326d4..0bcd0840d7 100644
--- a/src/knot/conf/schema.c
+++ b/src/knot/conf/schema.c
@@ -372,7 +372,7 @@ static const yp_item_t desc_policy[] = {
CONF_IO_FRLD_ZONES },
{ C_REPRO_SIGNING, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
{ C_NSEC3, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
- { C_NSEC3_ITER, YP_TINT, YP_VINT = { 0, UINT16_MAX, 10 }, CONF_IO_FRLD_ZONES },
+ { C_NSEC3_ITER, YP_TINT, YP_VINT = { 0, UINT16_MAX, 0 }, CONF_IO_FRLD_ZONES },
{ C_NSEC3_OPT_OUT, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
{ C_NSEC3_SALT_LEN, YP_TINT, YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
{ C_NSEC3_SALT_LIFETIME, YP_TINT, YP_VINT = { -1, UINT32_MAX, DAYS(30), YP_STIME },
diff --git a/tests-extra/tests/dnssec/no_resign/test.py b/tests-extra/tests/dnssec/no_resign/test.py
index 6b25691829..e5b83ced51 100644
--- a/tests-extra/tests/dnssec/no_resign/test.py
+++ b/tests-extra/tests/dnssec/no_resign/test.py
@@ -35,6 +35,7 @@ t.link(static_zone, master)
master.dnssec(nsec_zone).alg = "rsasha1"
master.dnssec(nsec3_zone).alg = "rsasha1"
master.dnssec(nsec3_zone).nsec3 = True
+master.dnssec(nsec3_zone).nsec3_iters = 10
master.dnssec(nsec3_zone).nsec3_salt_len = 0
master.dnssec(static_zone).alg = "ecdsap256sha256"
master.dnssec(nsec_zone).cds_publish = "rollover"
diff --git a/tests-extra/tools/dnstest/server.py b/tests-extra/tools/dnstest/server.py
index f506bbfc56..7e692bbcac 100644
--- a/tests-extra/tools/dnstest/server.py
+++ b/tests-extra/tools/dnstest/server.py
@@ -1091,7 +1091,7 @@ class Bind(Server):
outf.write(line)
#if z.dnssec.nsec3:
#n3flag = 1 if z.dnssec.nsec3_opt_out else 0
- #n3iters = z.dnssec.nsec3_iters or 10
+ #n3iters = z.dnssec.nsec3_iters or 0
#outf.write("%s NSEC3PARAM 1 %d %d -\n" % (z.name, n3flag, n3iters)) # this does not work!
super().start(clean)
@@ -1100,7 +1100,7 @@ class Bind(Server):
z = self.zones[zname]
if z.dnssec.nsec3:
n3flag = 1 if z.dnssec.nsec3_opt_out else 0
- n3iters = z.dnssec.nsec3_iters or 10
+ n3iters = z.dnssec.nsec3_iters or 0
self.ctl("signing -nsec3param 1 %d %d - %s" % (n3flag, n3iters, z.name))
class Knot(Server):
--
GitLab