Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-893

NSEC3 iteration count

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3
    • Component/s: Enforcer
    • Labels:
      None

      Description

      RFC5155, Section 10.3 specifies the maximum number of hash iterations for
      NSEC3 given the size of the ZSK. The key size in bits must be rounded upwards
      to the nearest table (Table 1) entry or downwards if necessary. More iterations
      than the corresponding number in the table MUST NOT be used. NSEC3 RRs
      with more iterations MIGHT be considered insecure. This effectively puts a
      maximum on the number of iterations.
      Key size | Iterations
      1024 | 150
      2048 | 500
      4096 | 2500

      OpenDNSSEC should emit a stern warning for policies exceeding these iteration counts.

        Attachments

          Activity

            People

            Assignee:
            hodar Hoda Rohani
            Reporter:
            yuri Yuri Schaeffer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: