On Fri, Jul 26, 2024 at 11:24 AM Guillaume Bienkowski wrote: > > Hello,
Hi > We are using bind9 with many SRV entries to allow for dynamic discovery of > hosts to monitor in our infrastructure. We have 300+ SRV records for the same > domain name. > > After the security update of tonight (9.16.48 -> 9.16.50), our DNS server > never rebooted. A named-zonecheck would issue error messages about "too many > records". <.. snip before/after example ..> > From my understanding, it seems that the number of unique records for the > same domain name is now limited to 100, without any way to change it in > named.conf. > > In the 9.20 version of bind9, it looks like they introduced a configuration > value to set this limit (probably because the 100 limit is a bit > restrictive), but this doesn't exist in the security backport. > > Here is their documentation on the subject: > https://kb.isc.org/docs/rrset-limits-in-zones <.. snip ..> > In the meantime we had to pin the version to 9.16.48. which is from Debian 11 > Is this a conscious choice to solve the CVE? Yes. From the bind9 security update email of July 25 - For the oldstable distribution (bullseye), these problems have been - fixed in version 1:9.16.50-1~deb11u1. For the oldstable distribution - (bullseye) the limits to mitigate CVE-2024-1737 are hardcoded and not - configurable. It also has - For the stable distribution (bookworm), these problems have been fixed in - version 1:9.18.28-1~deb12u1. > Would you be willing to backport the configuration of 9.20 so that companies > using larger record number per name can still use bind9 with security update? I don't know how accurate the wiki is, but https://wiki.debian.org/DebianReleases#Production_Releases has Bullseye / Debian 11 going end of life this month. I also don't know how much the Debian security team relies on upstream for patches, but the ISC notice for security fixes doesn't even mention 9.16: https://lists.isc.org/pipermail/bind-users/2024-July/108763.html Considering end-of-life for Debian 11 is rapidly approaching and what you're asking for exists in the current stable release (Debian 12/ bind 9.18), maybe you should be considering upgrading to the current Debian stable release? Regards, Lee
