From d33ba8ebf1ef29157740bfaa82c4e114785bbe5b Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sat, 5 Sep 2015 12:16:10 +0200
Subject: [PATCH] limit NSEC3 iterations in bindbackend

---
 modules/bindbackend/bindbackend2.hh |  1 +
 modules/bindbackend/binddnssec.cc   | 13 ++++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh
index 8666a702a..dce64b519 100644
--- a/modules/bindbackend/bindbackend2.hh
+++ b/modules/bindbackend/bindbackend2.hh
@@ -39,6 +39,7 @@
 #include "pdns/lock.hh"
 #include "pdns/misc.hh"
 #include "pdns/dnsbackend.hh"
+#include "pdns/logger.hh"
 
 #include "pdns/namespaces.hh"
 using namespace ::boost::multi_index;
diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc
index f18060258..5f105b936 100644
--- a/modules/bindbackend/binddnssec.cc
+++ b/modules/bindbackend/binddnssec.cc
@@ -108,16 +108,19 @@ bool Bind2Backend::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
   getDomainMetadata(zname, "NSEC3PARAM", meta);
   if(!meta.empty())
     value=*meta.begin();
-  
-  if(value.empty()) { // "no NSEC3"
-    return false;
-  }
-     
+  else
+    return false; // "no NSEC3"
+
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
   if(ns3p) {
     NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
     *ns3p = *tmp;
     delete tmp;
   }
+  if (ns3p->d_iterations > maxNSEC3Iterations) {
+    ns3p->d_iterations = maxNSEC3Iterations;
+    L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjsted to: "<<maxNSEC3Iterations<<endl;
+  }
   return true;
 }
 
-- 
2.40.0