Test DNSSEC03 checks for the NSEC3 iterations. I recommend to revisit the threshold values of this test. The currently discussed IETF draft-hardaker-dnsop-nsec3-guidance-03 suggests that everything above 150 iterations is an error regardless of the key size. Google DNS has shown interest to implement this and the latest ISC Bind 9.16.16 (CHANGES) has already implemented it:
- [func] Treat DNSSEC responses containing NSEC3 records with
iteration counts greater than 150 as insecure. [GL #2445]
I recommend to simplify the DNSSEC03 test as follows:
- show a
NOTICE to zones using NSEC3 with an iteration > 0
- fail the test (
ERROR) for zones using NSEC3 with an iteration > 150
- the key size test can be omitted
Thanks for consideration
Test DNSSEC03 checks for the NSEC3 iterations. I recommend to revisit the threshold values of this test. The currently discussed IETF draft-hardaker-dnsop-nsec3-guidance-03 suggests that everything above 150 iterations is an error regardless of the key size. Google DNS has shown interest to implement this and the latest ISC Bind 9.16.16 (CHANGES) has already implemented it:
I recommend to simplify the DNSSEC03 test as follows:
NOTICEto zones using NSEC3 with an iteration > 0ERROR) for zones using NSEC3 with an iteration > 150Thanks for consideration