[dns-operations] DNS activities in Japan
Mark Andrews
marka at isc.org
Wed Jul 6 05:01:57 UTC 2016
In message <20160704153404.GA11987 at nic.fr>, Stephane Bortzmeyer writes:
> On Mon, Jul 04, 2016 at 05:26:24PM +0900,
> fujiwara at jprs.co.jp <fujiwara at jprs.co.jp> wrote
> a message of 85 lines which said:
>
> > * [ For [LT] Secondary DNS Service ]
> >
> > See https://github.com/sischkg/xfer-limit
> >
> > Most of authoritative DNS server softwares do not have size limit of
> > zone transfer. He generated unlimited zone information at master
> > server, and transfered to slave servers. BIND 9, knot DNS and Power
> > DNS slave servers received unlimited zone informataion and died.
> > NSD slave DNS server received unlimited zone data and /tmp became full.
> >
> > He generated zone transfer size limit patch for BIND 9, Knot, NSD,
> > PowerDNS.
If you are going to do size limits then you need to apply them to
AXFR, IXFR, and UPDATE as a minimum. All of these can be used to
change the contents of a zone remotely.
That said a zone master is a trusted source even when it is a second
party. It is easy to trace back misuse.
Basically it is a non-issue. It's like disk quotas. Usually more
pain than they are worth.
> > # this is very interesting presentation.
>
> Knot seems to have a/the patch in the buffer:
> <https://gitlab.labs.nic.cz/labs/knot/merge_requests/541>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list