bind-users Digest, Vol 4516, Issue 1

Veronique Lefebure Veronique.Lefebure at cern.ch
Thu Jul 25 13:08:26 UTC 2024 

Hi,
We had the same issue as James, fortunately with no impact on production.
But I agree that , although I finally found the warning at the very bottom of the mail announcing the new release,  this MAJOR change should have been announced more clearly.
How do you find out whether or not you have domains with more than 100 records?
I myself was not aware of that until our domain got dropped (on a non-production server, luckily)

cheers,
Veronique


________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of bind-users-request at lists.isc.org <bind-users-request at lists.isc.org>
Sent: Thursday, July 25, 2024 2:00 PM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: bind-users Digest, Vol 4516, Issue 1

Send bind-users mailing list submissions to
        bind-users at lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
        bind-users-request at lists.isc.org

You can reach the person managing the list at
        bind-users-owner at lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. Re: New BIND releases are available: 9.18.28, 9.20.0 (Ond?ej Sur?)


----------------------------------------------------------------------

Message: 1
Date: Wed, 24 Jul 2024 06:09:14 -0700
From: Ond?ej Sur? <ondrej at isc.org>
To: James Stegemeyer <james at stegemeyer.net>
Cc: bind-users at lists.isc.org
Subject: Re: New BIND releases are available: 9.18.28, 9.20.0
Message-ID: <DC42D1A8-9A8F-48A4-9237-0185F54479EB at isc.org>
Content-Type: text/plain;       charset=utf-8

Hi James,

I understand this has caused you some discomfort, but it was documented both
in the release notes and in the announcement and it was necessary to introduce
the limits because more fix would have to be intrusive refactoring of the internals,
and that is exactly the thing that we were trying to avoid.

As for your suggestion to ship the BIND 9 in a vulnerable state - that would be
absolutely wrong thing to do. We released the new version to make sure the
BIND 9 is not vulnerable in the default configuration and administrators might
assess the risks when increasing the value of the max-types-per-name for their
particular environment.

Cheers,
Ondrej
--
Ond?ej Sur? (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 24. 7. 2024, at 4:18, James Stegemeyer <james at stegemeyer.net> wrote:
>
> Thanks for the new release, and the hard work you do.
>
> I recently upgraded from 9.18.24 to 9.18.28 per prompting by Ubuntu USN-6909-1 to preform a security update.  I deployed this into production after passing some tests when installed in a lab.  After the upgrade, Internal Zones that were hosted by Windows Active Directory were rejected and caused a production impact.  Under Windows Active Directory, the DC's create a round robin DNS record at the apex of the zone and the number of entries approximately match the number of DC's in the domain.  It is not uncommon to have hundreds of DC's in a domain, so setting a limit of 100 will likely cause a series of unexpected outages for IT administrators.   Because this change restricts existing functionality, This is a breaking change and as such should be reserved to a minor release. If this feature was critical to resolve an issue a provider was having, it should be shipped with default values of 0 causing it to be effectively disabled allowing the provider to opt in.<HmgILl6x1HGckq4d.png>I
  was able to resolve this issue by adding the following directive to the affected views:
> max-types-per-name 1000;
>
> --James
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



------------------------------

Subject: Digest Footer

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


------------------------------

End of bind-users Digest, Vol 4516, Issue 1
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240725/e162fcab/attachment.htm>

More information about the bind-users mailing list