- Move the NSEC3 max iterations count in line with the 150 value

used by BIND, Knot and PowerDNS. This sets the default value
  for it in the configuration to 150 for all key sizes.

doc/Changelog

@@ -1,3 +1,8 @@
+25 May 2021: Wouter
+	- Move the NSEC3 max iterations count in line with the 150 value
+	  used by BIND, Knot and PowerDNS. This sets the default value
+	  for it in the configuration to 150 for all key sizes.
+
 21 May 2021: Wouter
 	- Test code has -q option for quiet output.
 

doc/example.conf.in

@@ -614,7 +614,7 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
 
 	# if enabled, ZONEMD verification failures do not block the zone.
 	# zonemd-permissive-mode: no

doc/unbound.conf.5.in

@@ -1215,7 +1215,7 @@ Default is "no".
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
+by quotes. Default is "1024 150 2048 150 4096 150". This determines the
 maximum allowed NSEC3 iteration count before a message is simply marked
 insecure instead of performing the many hashing iterations. The list must
 be in ascending order and have at least one entry. If you set it to

util/config_file.c

@@ -309,7 +309,7 @@ config_create(void)
 	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 #endif
 	if(!(cfg->val_nsec3_key_iterations = 
-		strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
+		strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)
 	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 		goto error_exit;