On 23.09.24 08:07, Peter Davies wrote:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From: *"Nagesh Thati" <tcpnag...@gmail.com> *To: *"bind-users" <bind-users@lists.isc.org> *Sent: *Monday, 23 September, 2024 07:48:32 *Subject: *Assistance Needed: "Too Many Records" Error When Reloading Zone `example.com`, BIND: 9.18.29 Hi BIND Community,
[...]
*`general.log` Output:* 23-Sep-2024 10:33:48.625 general: info: received control channel command 'reload example.com <http://example.com>' 23-Sep-2024 10:33:48.625 general: debug 1: zone_startload: zone example.com/IN <http://example.com/IN>: enter 23-Sep-2024 10:33:48.629 general: error: dns_master_load: /var/named/zones/db.example.com:995 <http://db.example.com:995>: text.example.com <http://text.example.com>: too many records *Zone File Excerpt (Line 995):* 990 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 209 for us-lcm-01.example.com <http://us-lcm-01.example.com>. created on 2024-05-28" 991 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 211 for us-vra.example.com <http://us-vra.example.com>. created on 2024-05-28" 992 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 212 for us-vdm.example.com <http://us-vdm.example.com>. created on 2024-05-28" 993 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 217 for us-twlcm-01.example.com <http://us-twlcm-01.example.com>. created on 2024-05-28" 994 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 220 for us-lcm-02.example.com <http://us-lcm-02.example.com>. created on 2024-05-29" *995 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 225 for us-dev-remote-50.example.com <http://us-dev-remote-50.example.com>. created on 2024-05-29"* 996 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 228 for us-vdm-02.example.com <http://us-vdm-02.example.com>. created on 2024-05-29" 997 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 230 for us-lcm-03.example.com <http://us-lcm-03.example.com>. created on 2024-05-29" 998 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 235 for us-dev-remote-51.example.com <http://us-dev-remote-51.example.com>. created on 2024-05-29" 999 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset ID: 240 for us-twlcm-02.example.com <http://us-twlcm-02.example.com>. created on 2024-05-29"
On 23.09.24 09:30, Petr Špaček wrote: >> *Request for Assistance:* >> 1. _Understanding the Limit:_ Is there a configurable limit in BIND that restricts the number of records per zone? If so, how can we adjust this limit to accommodate our current zone size? > > Albeit you can adjust configuration to allow more records in one place it is not recommended. Doing so opens possibility of DoS attacks. Hi Nagesh, I think a better option would be to convert the RRs text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for us-lcm-01.example.com. created on 2024-05-28" to something like us-lcm-01.text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for us-lcm-01.example.com. created on 2024-05-28" since the discovery of the real name of text.example.com (if this is requestable from unvalidated source IP addresses - almost any source IP address in the "internet" has to be considered unvalidated - since there is no applicable way to validate foreign source addresses on autonomous system interconnects, yet) will make it possible to abuse this RRs for a DoS amplification attack against third parties (the real owners of the forged source IPs). The attacker just needs to send requests for text.example.com IN TXT with the forged IP of the victim, and the victim will get your hundreds of TXT records under this name from your server for each of them. But depending of the origin or use of this records this might be difficult. ;-) Kind regards, Lars -- Lars Kollstedt Telefon: +49 6151 16-71027 E-Mail: l...@man-da.de man-da.de GmbH Dolivostraße 11 64293 Darmstadt Sitz der Gesellschaft: Darmstadt Registergericht: Amtsgericht Darmstadt Handelsregisternummer: HRB 9484 Geschäftsführer: Andreas Ebert -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users