Veronique,
There are two restrictions:
max-types-per-name 100; (Unlikely to cause issues)
max-records-per-type 100;
So to list the counts of each each name you could use the following command:
dig -t axfr $zone @$server | awk '{print $1,$4}' | sort | uniq -c | sort -n
Where $zone is zone FQDN and $server is DNS server.
When I ran this command the following two entries had the highest counts:
NNN _ldap._tcp.DomainDnsZones.~~~.com
NNN _ldap._tcp.ForestDnsZones.~~~.com
Thanks,
--James
On 7/25/24 09:08, Veronique Lefebure wrote:
Hi,
We had the same issue as James, fortunately with no impact on production.
But I agree that , although I finally found the warning at the very
bottom of the mail announcing the new release, this MAJOR change
should have been announced more clearly.
How do you find out whether or not you have domains with more than 100
records?
I myself was not aware of that until our domain got dropped (on a
non-production server, luckily)
cheers,
Veronique
------------------------------------------------------------------------
*From:* bind-users <bind-users-boun...@lists.isc.org> on behalf of
bind-users-requ...@lists.isc.org <bind-users-requ...@lists.isc.org>
*Sent:* Thursday, July 25, 2024 2:00 PM
*To:* bind-users@lists.isc.org <bind-users@lists.isc.org>
*Subject:* bind-users Digest, Vol 4516, Issue 1
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Re: New BIND releases are available: 9.18.28, 9.20.0 (Ond?ej Sur?)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Jul 2024 06:09:14 -0700
From: Ond?ej Sur? <ond...@isc.org>
To: James Stegemeyer <ja...@stegemeyer.net>
Cc: bind-users@lists.isc.org
Subject: Re: New BIND releases are available: 9.18.28, 9.20.0
Message-ID: <dc42d1a8-9a8f-48a4-9237-0185f5447...@isc.org>
Content-Type: text/plain; charset=utf-8
Hi James,
I understand this has caused you some discomfort, but it was
documented both
in the release notes and in the announcement and it was necessary to
introduce
the limits because more fix would have to be intrusive refactoring of
the internals,
and that is exactly the thing that we were trying to avoid.
As for your suggestion to ship the BIND 9 in a vulnerable state - that
would be
absolutely wrong thing to do. We released the new version to make sure the
BIND 9 is not vulnerable in the default configuration and
administrators might
assess the risks when increasing the value of the max-types-per-name
for their
particular environment.
Cheers,
Ondrej
--
Ond?ej Sur? (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do
not feel obligated to reply outside your normal working hours.
> On 24. 7. 2024, at 4:18, James Stegemeyer <ja...@stegemeyer.net> wrote:
>
> Thanks for the new release, and the hard work you do.
>
> I recently upgraded from 9.18.24 to 9.18.28 per prompting by Ubuntu
USN-6909-1 to preform a security update. I deployed this into
production after passing some tests when installed in a lab. After
the upgrade, Internal Zones that were hosted by Windows Active
Directory were rejected and caused a production impact. Under Windows
Active Directory, the DC's create a round robin DNS record at the apex
of the zone and the number of entries approximately match the number
of DC's in the domain. It is not uncommon to have hundreds of DC's in
a domain, so setting a limit of 100 will likely cause a series of
unexpected outages for IT administrators. Because this change
restricts existing functionality, This is a breaking change and as
such should be reserved to a minor release. If this feature was
critical to resolve an issue a provider was having, it should be
shipped with default values of 0 causing it to be effectively disabled
allowing the provider to opt in.<HmgILl6x1HGckq4d.png>I
was able to resolve this issue by adding the following directive to
the affected views:
> max-types-per-name 1000;
>
> --James
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe
from this list
>
> ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
<https://www.isc.org/contact/> for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
<https://www.isc.org/contact/> for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
------------------------------
End of bind-users Digest, Vol 4516, Issue 1
*******************************************
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users