Discussion:
Large Zone Transfers Failing in Latest Buster Update
(too old to reply)
Eduardo M KALINOWSKI
2024-08-02 13:20:01 UTC
Permalink
We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this
Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN'
from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a
problem in the past.
We have tried force transfers, purging journal files and nothing seems
to work.
We rolled back the update to one performed earlier in the month and now
everything is working.
Anybody have any idea what is going on with this latest update?
Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html
(even if it does not directly apply to buster).
--
O mesmo dever que prende o servo ao soberano prende ao
marido a mulher.
-- William Shakespeare

Eduardo M KALINOWSKI
***@kalinowski.com.br
Brian
2024-08-02 13:20:01 UTC
Permalink
We just ran the latest updates for Debian Buster on one of our DNS servers running bind9 and one of the slave domains is failing with this message:
Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.

We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?

Thanks,
Brian
Jeffrey Walton
2024-08-02 14:20:01 UTC
Permalink
Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?
I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at
<https://lists.debian.org/debian-security/2024/07/msg00003.html>.

Jeff
Roberto C. Sánchez
2024-08-02 14:40:01 UTC
Permalink
Post by Jeffrey Walton
Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?
I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at
<https://lists.debian.org/debian-security/2024/07/msg00003.html>.
Which seems unlikely on a system running buster.
--
Roberto C. Sánchez
Jeffrey Walton
2024-08-02 14:50:01 UTC
Permalink
Post by Roberto C. Sánchez
Post by Jeffrey Walton
Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?
I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at
<https://lists.debian.org/debian-security/2024/07/msg00003.html>.
Which seems unlikely on a system running buster.
Maybe I am mis-parsing things, but the backporting to older Debian
versions is discussed, starting with the question, "Would you be
willing to backport the configuration of 9.20 so that companies using
larger record number per name can still use bind9 with security
update?" The first answer appears at
<https://lists.debian.org/debian-security/2024/07/msg00004.html>.

My apologies if I am mis-parsing things.

Jeff
Roberto C. Sánchez
2024-08-02 15:00:01 UTC
Permalink
Post by Jeffrey Walton
Post by Roberto C. Sánchez
Post by Jeffrey Walton
Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?
I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at
<https://lists.debian.org/debian-security/2024/07/msg00003.html>.
Which seems unlikely on a system running buster.
Maybe I am mis-parsing things, but the backporting to older Debian
versions is discussed, starting with the question, "Would you be
willing to backport the configuration of 9.20 so that companies using
larger record number per name can still use bind9 with security
update?" The first answer appears at
<https://lists.debian.org/debian-security/2024/07/msg00004.html>.
I agree that it is discussed as you say. However, that discussion is
about backporting the 9.20 configuration changes to bind9 in *bullseye*,
while the OP in this thread indicated that the problem was is in bind9
on a system running *buster*. The last bind9 update on buster [0] was
uploaded on 2024-05-17, and did not involve the 9.20 configuration
changes. So, the OP should be considering what else has changed that may
have caused the observed failure.

Regards,

-Roberto

[0] https://tracker.debian.org/news/1530724/accepted-bind9-19115p4dfsg-51deb10u11-source-into-oldoldstable/
--
Roberto C. Sánchez
Brian
2024-08-02 13:30:01 UTC
Permalink
We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this
Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN'
from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now
everything is working.
Anybody have any idea what is going on with this latest update?
Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html
(even if it does not directly apply to buster).
--
    O mesmo dever que prende o servo ao soberano prende ao
    marido a mulher.
        --  William Shakespeare

Eduardo M KALINOWSKI
***@kalinowski.com.br


Thanks, I will check into that over the weekend and report back.
Roberto C. Sánchez
2024-08-02 13:50:01 UTC
Permalink
Post by Eduardo M KALINOWSKI
We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this
Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN'
from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a
problem in the past.
We have tried force transfers, purging journal files and nothing seems to work.
We rolled back the update to one performed earlier in the month and now
everything is working.
Anybody have any idea what is going on with this latest update?
Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?
See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
if it does not directly apply to buster).
That seems unlikely, as the bind9 package in buster have not yet been
updated to fix the CVEs referenced in that particular DSA.

Brian, can you provide more details about what specific packages were
updated and from what version to what version? You can find that
information in /var/log/dpkg.log*.

Regards,

-Roberto
--
Roberto C. Sánchez
Eduardo M KALINOWSKI
2024-08-02 14:00:01 UTC
Permalink
Post by Roberto C. Sánchez
Post by Eduardo M KALINOWSKI
Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?
See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
if it does not directly apply to buster).
That seems unlikely, as the bind9 package in buster have not yet been
updated to fix the CVEs referenced in that particular DSA.
Brian, can you provide more details about what specific packages were
updated and from what version to what version? You can find that
information in /var/log/dpkg.log*.
buster has a new upstream version 9.20.0, which includes the new
configuration options, and a default limit of 100 for each when they're
not set (according the the first link).
--
All your files have been destroyed (sorry). Paul.

Eduardo M KALINOWSKI
***@kalinowski.com.br
Roberto C. Sánchez
2024-08-02 14:40:02 UTC
Permalink
Post by Eduardo M KALINOWSKI
Post by Roberto C. Sánchez
Post by Eduardo M KALINOWSKI
Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?
See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
if it does not directly apply to buster).
That seems unlikely, as the bind9 package in buster have not yet been
updated to fix the CVEs referenced in that particular DSA.
Brian, can you provide more details about what specific packages were
updated and from what version to what version? You can find that
information in /var/log/dpkg.log*.
buster has a new upstream version 9.20.0, which includes the new
configuration options, and a default limit of 100 for each when they're not
set (according the the first link).
That new upstream version (9.20.0) is in sid/trixie. Buster has this:

***@build01:/# cat /etc/debian_version
10.13
***@build01:/# apt-cache policy bind9
bind9:
Installed: (none)
Candidate: 1:9.11.5.P4+dfsg-5.1+deb10u11
Version table:
1:9.11.5.P4+dfsg-5.1+deb10u11 500
500 http://security.debian.org buster/updates/main amd64 Packages
1:9.11.5.P4+dfsg-5.1+deb10u7 500
500 http://deb.debian.org/debian buster/main amd64 Packages

This matches what is listed in the PTS [0].

[0] https://tracker.debian.org/pkg/bind9
--
Roberto C. Sánchez
Eduardo M KALINOWSKI
2024-08-02 14:50:01 UTC
Permalink
You're right, I've been once more confused by the lack of any logical
sequence between Debian release codenames.
--
We are the people our parents warned us about.

Eduardo M KALINOWSKI
***@kalinowski.com.br
Loading...