| From b43bcb51ebf9aea21b1e280e1872056994e3f53d Mon Sep 17 00:00:00 2001 |
| From: Ronan Pigott <ronan@rjp.ie> |
| Date: Sun, 25 Feb 2024 00:23:32 -0700 |
| Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100 |
| |
| According to RFC9267, the 2500 value is not helpful, and in fact it can |
| be harmful to permit a large number of iterations. Combined with limits |
| on the number of signature validations, I expect this will mitigate the |
| impact of maliciously crafted domains designed to cause excessive |
| cryptographic work. |
| |
| (cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb) |
| (cherry picked from commit 572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14) |
| (cherry picked from commit 9899281c59a91f19c8b39362d203e997d2faf233) |
| (cherry picked from commit 156e519d990a5662c719a1cbe80c6a02a2b9115f) |
| --- |
| src/resolve/resolved-dns-dnssec.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c |
| index 149949ffdf..71a915feea 100644 |
| --- a/src/resolve/resolved-dns-dnssec.c |
| +++ b/src/resolve/resolved-dns-dnssec.c |
| @@ -27,8 +27,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); |
| /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ |
| #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) |
| |
| -/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */ |
| -#define NSEC3_ITERATIONS_MAX 2500 |
| +/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but |
| + * RFC9276 ยง 3.2 says that we should reduce the acceptable iteration count */ |
| +#define NSEC3_ITERATIONS_MAX 100 |
| |
| /* |
| * The DNSSEC Chain of trust: |
