Add release note and CHANGES for #4363

This protocol change is definitely worth mentioning.
2026-05-28 04:34:54 -04:00 · 2023-11-22 16:39:40 +01:00 · 2023-11-22 16:39:40 +01:00 · 294943ba7c
commit 294943ba7c
parent abdaa77303
2 changed files with 12 additions and 1 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+6292.	[func]		Lower the maximum number of allowed NSEC3 iterations,
+			from 150 to 50. DNSSEC responses with a higher
+			iteration count are treated as insecure. For signing
+			with dnssec-policy, iterations must be set to zero.
+			[GL #4363]
+
 6291.	[bug]		SIGTERM failed to properly stop multiple outstanding
 			lookup in dig. [GL #4457]

--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -33,7 +33,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~

- None.
+- The maximum number of allowed NSEC3 iterations for validation has been
+  lowered from 150 to 50. DNSSEC responses containing NSEC3 records with
+  iteration counts greater than 50 are now treated as insecure.  :gl:`#4363`
+
+- The number of NSEC3 iterations that can be configured for a zone must be 0.
+  :gl:`#4363`

 Bug Fixes
 ~~~~~~~~~