projects / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d1abd19) | patch
resolved: reduce the maximum nsec3 iterations to 100
authorRonan Pigott <ronan@rjp.ie>
Sun, 25 Feb 2024 07:23:32 +0000 (00:23 -0700)
committerAdrian Bunk <bunk@debian.org>
Sun, 25 Aug 2024 19:05:15 +0000 (22:05 +0300)
commitb683e3e25dbc9d26d983c8924465735abdd16325
tree66d0fce125cab3df672d9d1e51047975be1d1108tree | snapshot
parentd1abd19f0014b91378bb47e1bbb82cccdc33eacacommit | diff
resolved: reduce the maximum nsec3 iterations to 100

According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.

Gbp-Pq: Name 0003-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
src/resolve/resolved-dns-dnssec.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.