projects / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 02c83d9) | patch
resolved: reduce the maximum nsec3 iterations to 100
authorRonan Pigott <ronan@rjp.ie>
Sun, 25 Feb 2024 07:23:32 +0000 (00:23 -0700)
committerArnaud Rebillout <arnaudr@debian.org>
Mon, 13 Apr 2026 07:18:40 +0000 (14:18 +0700)
commit49aecd38173d38aab366a43bc1b0ca5d258e0072
treefa5356b8a7673c5596ac7f8da51cfb949008a5f5tree | snapshot
parent02c83d9bcf24bee49b3532207717b9d4228ff1fecommit | diff
resolved: reduce the maximum nsec3 iterations to 100

According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.

Gbp-Pq: Name 0003-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
src/resolve/resolved-dns-dnssec.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.