Hello,
We are using bind9 with many SRV entries to allow for dynamic discovery of
hosts to monitor in our infrastructure. We have 300+ SRV records for the
same domain name.
After the security update of tonight (9.16.48 -> 9.16.50), our DNS server
never rebooted. A named-zonecheck would issue error messages about "too
many records".
Before:
root@dns-ext:/var/lib/bind# named-checkzone xxx.com db.xxx.com
zone xxx.com/IN: loaded serial 2407240122
OK
After:
root@dns-ext:/var/lib/bind# named-checkzone xxx.com db.xxx.com
[...]
dns_master_load: db.xxx.com:1892: _healthchecks._tcp.iot.xxx.com: too
many records
dns_master_load: db.xxx.com:1893: _hosts._tcp.iot.xxx.com: too many
records
dns_master_load: db.xxx.com:1894: _healthchecks._tcp.iot.xxx.com: too
many records
zone xxx.com/IN: loading from master file db.xxx.com failed: too many
records
zone xxx.com/IN: not loaded due to errors.
>From my understanding, it seems that the number of unique records for the
same domain name is now limited to 100, without any way to change it in
named.conf.
In the 9.20 version of bind9, it looks like they introduced a configuration
value to set this limit (probably because the 100 limit is a bit
restrictive), but this doesn't exist in the security backport.
Here is their documentation on the subject:
https://kb.isc.org/docs/rrset-limits-in-zones
Also, from what I gathered from the patches, you override the
"non-changeable" limit to 5000 in the build script, but only for developer
mode:
diff --git a/configure b/configure
index 30e65f1..835cd94 100755
--- a/configure
+++ b/configure
@@ -12341,7 +12341,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1
-DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1
-DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000
-DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index ffe087e..6db4250 100644
--- a/configure.ac
+++ b/configure.ac
In the meantime we had to pin the version to 9.16.48.
Is this a conscious choice to solve the CVE?
Would you be willing to backport the configuration of 9.20 so that
companies using larger record number per name can still use bind9 with
security update?
Thanks for your work!
Guillaume
