DNS Zone File Entries Limit

Silas Cutler silas.cutler at blacklistthisdomain.com
Fri Nov 16 00:17:20 UTC 2012


No ACLs in place.

[SLAVE]
Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: refresh:
unexpected rcode (REFUSED) from master MASTER#53 (source 0.0.0.0#0)
Nov 15 19:13:36 [Redacted] named[21899]: zone rpz/IN: Transfer started.
Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from
MASTER#53: connected using SLAVE#39164
Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from
MASTER#53: failed while receiving responses: NOTAUTH
Nov 15 19:13:36 [Redacted] named[21899]: transfer of 'rpz/IN' from
MASTER#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.070
secs (0 bytes/sec)

[MASTER]
Nov 16 00:12:51 [Redacted] named[32736]: client SLAVE#39164: bad zone
transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH)
Nov 16 00:13:40 [Redacted] named[32736]: client SLAVE#59205: bad zone
transfer request: 'rpz/IN': non-authoritative zone (NOTAUTH)


On 11/15/12 7:08 PM, Mark Andrews wrote:
> In message <50A582D2.30303 at blacklistthisdomain.com>, Silas Cutler writes:
>> Well, the authoritative server can handle the zone file size.  However,
>> with the slave makes the request for the zone, I get:
>>
>>  refresh: unexpected rcode (REFUSED)
> The slave is making a SOA query to the master and is getting refused as
> as response.  I would be checking your acls.  Look at the logs on the
> master.
>
>> On 11/15/12 6:59 PM, Mark Andrews wrote:
>>> In message <50A580C1.9080900 at blacklistthisdomain.com>, Silas Cutler writes:
>>>> Good Evening,
>>>>
>>>> I've been doing some DNS RPZ experiments and during my testing I found
>>>> that if a DNS Zone on an Authoritative DNS Server has more then 100k
>>>> elements, it will not replicate to a slave DNS Server. 
>>>>
>>>> Do you know if this is a known issue or a PEBKAC related problem?
>>> Given named hosts zones with 10's, if not 100's, of millions of
>>> records it isn't record count.  There are no fixed limits, just
>>> what the machines memory can support.
>>>
>>>> Cheers,
>>>> Silas Cutler
>>>> Security Researcher
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
>> ibe
>>>>  from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list