resolved: reduce the maximum nsec3 iterations to 100

According to RFC9267, the 2500 value is not helpful, and in fact it can be harmful to permit a large number of iterations. Combined with limits on the number of signature validations, I expect this will mitigate the impact of maliciously crafted domains designed to cause excessive cryptographic work. (cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb) Related: RHEL-26644
redhat-plumbers · Mar 7, 2024 · 92124e8 · 92124e8
1 parent 899e3c4
commit 92124e8
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
@@ -22,8 +22,9 @@
 /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
 #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
 
-/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
-#define NSEC3_ITERATIONS_MAX 2500
+/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but
+ * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */
+#define NSEC3_ITERATIONS_MAX 100
 
 /*
  * The DNSSEC Chain of trust: