bind-users Digest, Vol 4516, Issue 1

Thu Jul 25 14:15:15 UTC 2024

Veronique,

There are two restrictions:

max-types-per-name 100; (Unlikely to cause issues)
max-records-per-type 100;
So to list the counts of each each name you could use the following command:

dig -t axfr $zone  @$server | awk '{print $1,$4}' | sort | uniq -c | sort -n

Where $zone is zone FQDN and $server is DNS server.
When I ran this command the following two entries had the highest counts:

NNN _ldap._tcp.DomainDnsZones.~~~.com

NNN _ldap._tcp.ForestDnsZones.~~~.com

Thanks,
--James

On 7/25/24 09:08, Veronique Lefebure wrote:
> Hi,
> We had the same issue as James, fortunately with no impact on production.
> But I agree that , although I finally found the warning at the very 
> bottom of the mail announcing the new release,  this MAJOR change 
> should have been announced more clearly.
> How do you find out whether or not you have domains with more than 100 
> records?
> I myself was not aware of that until our domain got dropped (on a 
> non-production server, luckily)
>
> cheers,
> Veronique
>
>
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of 
> bind-users-request at lists.isc.org <bind-users-request at lists.isc.org>
> *Sent:* Thursday, July 25, 2024 2:00 PM
> *To:* bind-users at lists.isc.org <bind-users at lists.isc.org>
> *Subject:* bind-users Digest, Vol 4516, Issue 1
> Send bind-users mailing list submissions to
> bind-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
> or, via email, send a message with subject or body 'help' to
> bind-users-request at lists.isc.org
>
> You can reach the person managing the list at
> bind-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>    1. Re: New BIND releases are available: 9.18.28, 9.20.0 (Ond?ej Sur?)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Jul 2024 06:09:14 -0700
> From: Ond?ej Sur? <ondrej at isc.org>
> To: James Stegemeyer <james at stegemeyer.net>
> Cc: bind-users at lists.isc.org
> Subject: Re: New BIND releases are available: 9.18.28, 9.20.0
> Message-ID: <DC42D1A8-9A8F-48A4-9237-0185F54479EB at isc.org>
> Content-Type: text/plain;       charset=utf-8
>
> Hi James,
>
> I understand this has caused you some discomfort, but it was 
> documented both
> in the release notes and in the announcement and it was necessary to 
> introduce
> the limits because more fix would have to be intrusive refactoring of 
> the internals,
> and that is exactly the thing that we were trying to avoid.
>
> As for your suggestion to ship the BIND 9 in a vulnerable state - that 
> would be
> absolutely wrong thing to do. We released the new version to make sure the
> BIND 9 is not vulnerable in the default configuration and 
> administrators might
> assess the risks when increasing the value of the max-types-per-name 
> for their
> particular environment.
>
> Cheers,
> Ondrej
> --
> Ond?ej Sur? (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do 
> not feel obligated to reply outside your normal working hours.
>
> > On 24. 7. 2024, at 4:18, James Stegemeyer <james at stegemeyer.net> wrote:
> >
> > Thanks for the new release, and the hard work you do.
> >
> > I recently upgraded from 9.18.24 to 9.18.28 per prompting by Ubuntu 
> USN-6909-1 to preform a security update.  I deployed this into 
> production after passing some tests when installed in a lab.  After 
> the upgrade, Internal Zones that were hosted by Windows Active 
> Directory were rejected and caused a production impact.  Under Windows 
> Active Directory, the DC's create a round robin DNS record at the apex 
> of the zone and the number of entries approximately match the number 
> of DC's in the domain. It is not uncommon to have hundreds of DC's in 
> a domain, so setting a limit of 100 will likely cause a series of 
> unexpected outages for IT administrators.   Because this change 
> restricts existing functionality, This is a breaking change and as 
> such should be reserved to a minor release. If this feature was 
> critical to resolve an issue a provider was having, it should be 
> shipped with default values of 0 causing it to be effectively disabled 
> allowing the provider to opt in.<HmgILl6x1HGckq4d.png>I
>   was able to resolve this issue by adding the following directive to 
> the affected views:
> > max-types-per-name 1000;
> >
> > --James
> >
> >
> >
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe 
> from this list
> >
> > ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ 
> <https://www.isc.org/contact/> for more information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ 
> <https://www.isc.org/contact/> for more information.
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
>
> ------------------------------
>
> End of bind-users Digest, Vol 4516, Issue 1
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240725/c1198ac4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NIwJOiBPn0k3DbEK.png
Type: image/png
Size: 55 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240725/c1198ac4/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OOK5t0pvDH9nwOch.png
Type: image/png
Size: 84 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240725/c1198ac4/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g0tV3ik0gA0klVL0.png
Type: image/png
Size: 41 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240725/c1198ac4/attachment-0005.png>