diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 68755b35aa..03f2b9c7cc 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -39,7 +39,7 @@ named-checkconf \- named configuration file syntax checking tool .SH "SYNOPSIS" .HP \w'\fBnamed\-checkconf\fR\ 'u -\fBnamed\-checkconf\fR [\fB\-hjvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} +\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} .SH "DESCRIPTION" .PP \fBnamed\-checkconf\fR @@ -74,6 +74,11 @@ Print the usage summary and exit\&. When loading a zonefile read the journal if it exists\&. .RE .PP +\-l +.RS 4 +List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&. +.RE +.PP \-p .RS 4 Print out the diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 3b41974ef4..a73ae29724 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -20,7 +20,7 @@

Synopsis

-

named-checkconf [-hjvz] [-p +

named-checkconf [-hjlvz] [-p [-x ]] [-t directory] {filename}

@@ -55,6 +55,12 @@

When loading a zonefile read the journal if it exists.

+
-l
+

+ List all the configured zones. Each line of output + contains the zone name, class (e.g. IN), view, and type + (e.g. master or slave). +

-p

Print out the named.conf and included files diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 7d0a0a1dac..9f548cc63c 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -369,6 +369,7 @@ options { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; @@ -556,6 +557,7 @@ view \fIstring\fR \fIoptional_class\fR { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; @@ -650,6 +652,7 @@ zone \fIstring\fR \fIoptional_class\fR { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 42655e4e7a..f22501a677 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -320,6 +320,7 @@ options };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -523,6 +524,7 @@ view };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -623,6 +625,7 @@ zone };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index ad6c528023..360e82fe4e 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2402,6 +2402,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ use-queryport-pool yes_or_no; ] [ queryport-pool-ports number; ] [ queryport-pool-updateinterval number; ] + [ max-records number; ] [ max-transfer-time-in number; ] [ max-transfer-time-out number; ] [ max-transfer-idle-in number; ] @@ -5594,6 +5595,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; means 2 gigabytes. This may also be set on a per-zone basis.

+
max-records
+

+ The maximum number of records permitted in a zone. + The default is zero which means unlimited. +

host-statistics-max

In BIND 8, specifies the maximum number of host statistics @@ -9171,6 +9177,11 @@ zone zone_name [max-journal-size in the section called “Server Resource Limits”.

+
max-records
+

+ See the description of + max-records in the section called “Server Resource Limits”. +

max-transfer-time-in

See the description of diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 51e72f70c1..3f677d2bcd 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -108,6 +108,13 @@

Security Fixes

    +

  • + Added the ability to specify the maximum number of records + permitted in a zone (max-records #;). This provides a mechanism + to block overly large zone transfers, which is a potential risk + with slave zones from other parties, as described in CVE-2016-6170. + [RT #42143] +

  • It was possible to trigger a assertion when rendering a message using a specially crafted request. This flaw is diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index f60aa5ff4a..ba3d27b552 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -38,7 +38,7 @@

Synopsis

-

named-checkconf [-hjvz] [-p +

named-checkconf [-hjlvz] [-p [-x ]] [-t directory] {filename}

@@ -73,6 +73,12 @@

When loading a zonefile read the journal if it exists.

+
-l
+

+ List all the configured zones. Each line of output + contains the zone name, class (e.g. IN), view, and type + (e.g. master or slave). +

-p

Print out the named.conf and included files diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 824ae9cb7f..2e6ad1023c 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -338,6 +338,7 @@ options };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -541,6 +542,7 @@ view };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -641,6 +643,7 @@ zone };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 2639a469ad..63dfa108b4 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -69,6 +69,13 @@

Security Fixes

    +

  • + Added the ability to specify the maximum number of records + permitted in a zone (max-records #;). This provides a mechanism + to block overly large zone transfers, which is a potential risk + with slave zones from other parties, as described in CVE-2016-6170. + [RT #42143] +

  • It was possible to trigger a assertion when rendering a message using a specially crafted request. This flaw is diff --git a/doc/misc/options b/doc/misc/options index 1f7bc3604c..16b1b47f0d 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -217,6 +217,7 @@ options { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ( unlimited | ); max-ncache-ttl ; + max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; @@ -521,6 +522,7 @@ view [ ] { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ( unlimited | ); max-ncache-ttl ; + max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; @@ -703,6 +705,7 @@ view [ ] { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ( unlimited | ); + max-records ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; @@ -806,6 +809,7 @@ zone [ ] { ] ) [ key ]; ... }; max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ( unlimited | ); + max-records ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ;