Hello,
We are using bind9 with many SRV entries to allow for dynamic discovery of hosts to monitor in our infrastructure. We have 300+ SRV records for the same domain name.
After the security update of tonight (9.16.48 -> 9.16.50), our DNS server never rebooted. A named-zonecheck would issue error messages about "too many records".
Before:
After:
[...]
From my understanding, it seems that the number of unique records for the same domain name is now limited to 100, without any way to change it in named.conf.
In the 9.20 version of bind9, it looks like they introduced a configuration value to set this limit (probably because the 100 limit is a bit restrictive), but this doesn't exist in the security backport.
Also, from what I gathered from the patches, you override the "non-changeable" limit to 5000 in the build script, but only for developer mode:
diff --git a/configure b/configure
index 30e65f1..835cd94 100755
--- a/configure
+++ b/configure
@@ -12341,7 +12341,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/
configure.ac b/
configure.acindex ffe087e..6db4250 100644
--- a/
configure.ac+++ b/
configure.ac
In the meantime we had to pin the version to 9.16.48.
Is this a conscious choice to solve the CVE?
Would you be willing to backport the configuration of 9.20 so that companies using larger record number per name can still use bind9 with security update?
Thanks for your work!
Guillaume