<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Veronique,</p>
<p><br>
There are two restrictions:<br>
<img src="cid:part1.V7SmT0Cc.gIxEmxxI@stegemeyer.net" alt=""></p>
<p>max-types-per-name 100; (Unlikely to cause issues)<br>
max-records-per-type 100;<br>
So to list the counts of each each name you could use the
following command:<br>
<br>
<img src="cid:part2.rRH7Eknf.UCPRwY5h@stegemeyer.net" alt=""></p>
<p><img src="cid:part2.rRH7Eknf.UCPRwY5h@stegemeyer.net" alt=""></p>
<p>dig -t axfr $zone @$server | awk '{print $1,$4}' | sort | uniq
-c | sort -n</p>
<p><br>
</p>
<p>Where $zone is zone FQDN and $server is DNS server.<br>
When I ran this command the following two entries had the highest
counts:</p>
<p><br>
</p>
<p><img src="cid:part3.jguih0w4.Ywf6KJ7f@stegemeyer.net" alt=""></p>
<p>NNN _ldap._tcp.DomainDnsZones.~~~.com<br>
</p>
<p>NNN _ldap._tcp.ForestDnsZones.~~~.com<br>
<br>
</p>
<p>Thanks,<br>
--James<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 7/25/24 09:08, Veronique Lefebure
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ZRAP278MB075586BD74FA7057CB3E44B589AB2@ZRAP278MB0755.CHEP278.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi,</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
We had the same issue as James, fortunately with no impact on
production.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
But I agree that , although I finally found the warning at the
very bottom of the mail announcing the new release, this MAJOR
change should have been announced more clearly.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
How do you find out whether or not you have domains with more
than 100 records?</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I myself was not aware of that until our domain got dropped (on
a non-production server, luckily)</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
cheers,</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Veronique</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display: inline-block; width: 98%;">
<div id="divRplyFwdMsg" dir="ltr"><span
style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> bind-users
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users-bounces@lists.isc.org"><bind-users-bounces@lists.isc.org></a> on behalf of
<a class="moz-txt-link-abbreviated" href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users-request@lists.isc.org"><bind-users-request@lists.isc.org></a><br>
<b>Sent:</b> Thursday, July 25, 2024 2:00 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br>
<b>Subject:</b> bind-users Digest, Vol 4516, Issue 1</span>
<div> </div>
</div>
<div style="font-size: 11pt;">Send bind-users mailing list
submissions to<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a
href="https://lists.isc.org/mailman/listinfo/bind-users"
id="OWA80a570e7-0dd2-85f5-f5b1-62d50588712c"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">
https://lists.isc.org/mailman/listinfo/bind-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a><br>
<br>
You can reach the person managing the list at<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users-owner@lists.isc.org">bind-users-owner@lists.isc.org</a><br>
<br>
When replying, please edit your Subject line so it is more
specific<br>
than "Re: Contents of bind-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: New BIND releases are available: 9.18.28, 9.20.0
(Ond?ej Sur?)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 24 Jul 2024 06:09:14 -0700<br>
From: Ond?ej Sur? <a class="moz-txt-link-rfc2396E" href="mailto:ondrej@isc.org"><ondrej@isc.org></a><br>
To: James Stegemeyer <a class="moz-txt-link-rfc2396E" href="mailto:james@stegemeyer.net"><james@stegemeyer.net></a><br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: New BIND releases are available: 9.18.28, 9.20.0<br>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:DC42D1A8-9A8F-48A4-9237-0185F54479EB@isc.org"><DC42D1A8-9A8F-48A4-9237-0185F54479EB@isc.org></a><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
Hi James,<br>
<br>
I understand this has caused you some discomfort, but it was
documented both<br>
in the release notes and in the announcement and it was
necessary to introduce<br>
the limits because more fix would have to be intrusive
refactoring of the internals,<br>
and that is exactly the thing that we were trying to avoid.<br>
<br>
As for your suggestion to ship the BIND 9 in a vulnerable state
- that would be<br>
absolutely wrong thing to do. We released the new version to
make sure the<br>
BIND 9 is not vulnerable in the default configuration and
administrators might<br>
assess the risks when increasing the value of the
max-types-per-name for their<br>
particular environment.<br>
<br>
Cheers,<br>
Ondrej<br>
--<br>
Ond?ej Sur? (He/Him)<br>
<a class="moz-txt-link-abbreviated" href="mailto:ondrej@isc.org">ondrej@isc.org</a><br>
<br>
My working hours and your working hours may be different. Please
do not feel obligated to reply outside your normal working
hours.<br>
<br>
> On 24. 7. 2024, at 4:18, James Stegemeyer
<a class="moz-txt-link-rfc2396E" href="mailto:james@stegemeyer.net"><james@stegemeyer.net></a> wrote:<br>
><br>
> Thanks for the new release, and the hard work you do.<br>
><br>
> I recently upgraded from 9.18.24 to 9.18.28 per prompting
by Ubuntu USN-6909-1 to preform a security update. I deployed
this into production after passing some tests when installed in
a lab. After the upgrade, Internal Zones that were hosted by
Windows Active Directory were rejected and caused a production
impact. Under Windows Active Directory, the DC's create a round
robin DNS record at the apex of the zone and the number of
entries approximately match the number of DC's in the domain.
It is not uncommon to have hundreds of DC's in a domain, so
setting a limit of 100 will likely cause a series of unexpected
outages for IT administrators. Because this change restricts
existing functionality, This is a breaking change and as such
should be reserved to a minor release. If this feature was
critical to resolve an issue a provider was having, it should be
shipped with default values of 0 causing it to be effectively
disabled allowing the provider to opt
in.<HmgILl6x1HGckq4d.png>I<br>
was able to resolve this issue by adding the following
directive to the affected views:<br>
> max-types-per-name 1000;<br>
><br>
> --James<br>
><br>
><br>
><br>
> --<br>
> Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
id="OWA96c1473d-71e1-ad85-faef-731d15133a97"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">
https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list<br>
><br>
> ISC funds the development of this software with paid
support subscriptions. Contact us at
<a href="https://www.isc.org/contact/"
id="OWAc650c082-b33d-fc6c-e8ff-ba3a09698853"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">
https://www.isc.org/contact/</a> for more information.<br>
><br>
><br>
> bind-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
id="OWAda97b7e5-f9cf-f007-6409-8ac30bafbd14"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">
https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at
<a href="https://www.isc.org/contact/"
id="OWAc7a3fb8a-0ffa-37a8-c425-e846b00e2270"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">
https://www.isc.org/contact/</a> for more information.<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users"
id="OWA0bded5df-8b1e-9f83-c04f-5b4b0fe0b6ca"
class="OWAAutoLink moz-txt-link-freetext"
data-auth="NotApplicable" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of bind-users Digest, Vol 4516, Issue 1<br>
*******************************************</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>