From d08d5a5949591125261b046fdc274aa2d9cf56d6 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Thu, 3 Nov 2016 01:24:35 +0000 Subject: [PATCH] regen v9_9 --- bin/named/named.conf.5 | 3 + bin/named/named.conf.html | 3 + doc/arm/Bv9ARM.ch06.html | 11 ++++ doc/arm/Bv9ARM.ch09.html | 7 +++ doc/arm/man.named.conf.html | 3 + doc/arm/notes.html | 7 +++ doc/misc/options | 116 ++++++++++++++++++++++-------------- 7 files changed, 104 insertions(+), 46 deletions(-) diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 37f4ef975c..e915799054 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -349,6 +349,7 @@ options { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; @@ -528,6 +529,7 @@ view \fIstring\fR \fIoptional_class\fR { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; @@ -619,6 +621,7 @@ zone \fIstring\fR \fIoptional_class\fR { ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; \&.\&.\&. }; max\-journal\-size \fIsize_no_default\fR; + max\-records \fIinteger\fR; max\-transfer\-time\-in \fIinteger\fR; max\-transfer\-time\-out \fIinteger\fR; max\-transfer\-idle\-in \fIinteger\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index a3ac9f0515..1cd01baafe 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -300,6 +300,7 @@ options };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -493,6 +494,7 @@ view };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
@@ -589,6 +591,7 @@ zone };

max-journal-size size_no_default;
+ max-records integer;
max-transfer-time-in integer;
max-transfer-time-out integer;
max-transfer-idle-in integer;
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 562d8bfa08..3f004bdb7a 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -2267,6 +2267,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ use-queryport-pool yes_or_no; ] [ queryport-pool-ports number; ] [ queryport-pool-updateinterval number; ] + [ max-records number; ] [ max-transfer-time-in number; ] [ max-transfer-time-out number; ] [ max-transfer-idle-in number; ] @@ -4877,6 +4878,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; means 2 gigabytes. This may also be set on a per-zone basis.

+
max-records
+

+ The maximum number of records permitted in a zone. + The default is zero which means unlimited. +

host-statistics-max

In BIND 8, specifies the maximum number of host statistics @@ -8047,6 +8053,11 @@ zone zone_name [max-journal-size in the section called “Server Resource Limits”.

+
max-records
+

+ See the description of + max-records in the section called “Server Resource Limits”. +

max-transfer-time-in

See the description of diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 53a3c861fb..c8e05d1f65 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -88,6 +88,13 @@

Security Fixes

    +

  • + Added the ability to specify the maximum number of records + permitted in a zone (max-records #;). This provides a mechanism + to block overly large zone transfers, which is a potential risk + with slave zones from other parties, as described in CVE-2016-6170. + [RT #42143] +

  • It was possible to trigger a assertion when rendering a message using a specially crafted request. This flaw is diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index d71a6605b2..15b6ea6b73 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -319,6 +319,7 @@ options };

    max-journal-size size_no_default;
    + max-records integer;
    max-transfer-time-in integer;
    max-transfer-time-out integer;
    max-transfer-idle-in integer;
    @@ -512,6 +513,7 @@ view };

    max-journal-size size_no_default;
    + max-records integer;
    max-transfer-time-in integer;
    max-transfer-time-out integer;
    max-transfer-idle-in integer;
    @@ -608,6 +610,7 @@ zone };

    max-journal-size size_no_default;
    + max-records integer;
    max-transfer-time-in integer;
    max-transfer-time-out integer;
    max-transfer-idle-in integer;
    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index a7f6b3de88..df1dbbbcb4 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -48,6 +48,13 @@

    Security Fixes

      +

    • + Added the ability to specify the maximum number of records + permitted in a zone (max-records #;). This provides a mechanism + to block overly large zone transfers, which is a potential risk + with slave zones from other parties, as described in CVE-2016-6170. + [RT #42143] +

    • It was possible to trigger a assertion when rendering a message using a specially crafted request. This flaw is diff --git a/doc/misc/options b/doc/misc/options index f23568cda1..9d23c62e72 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -2,15 +2,17 @@ This is a summary of the named.conf options supported by this version of BIND 9. -acl { ; ... }; +acl { ; ... }; // may occur multiple times controls { - inet ( | | * ) [ port ( | * - ) ] allow { ; ... } [ keys { ; - ... } ]; - unix perm owner group - [ keys { ; ... } ]; -}; + inet ( | | + * ) [ port ( | * ) ] allow + { ; ... } [ + keys { ; ... } ]; // may occur multiple times + unix perm + owner group [ + keys { ; ... } ]; // may occur multiple times +}; // may occur multiple times dlz { database ; @@ -19,10 +21,10 @@ dlz { key { algorithm ; secret ; -}; +}; // may occur multiple times logging { - category { ; ... }; + category { ; ... }; // may occur multiple times channel { file [ versions ( "unlimited" | ) ] [ size ]; @@ -33,7 +35,7 @@ logging { severity ; stderr; syslog [ ]; - }; + }; // may occur multiple times }; lwres { @@ -42,13 +44,15 @@ lwres { ndots ; search { ; ... }; view [ ]; -}; +}; // may occur multiple times -managed-keys { - ; ... }; +managed-keys { + ; ... }; // may occur multiple times -masters [ port ] { ( | [ port - ] | [ port ] ) [ key ]; ... }; +masters [ port ] { ( + | [ port + ] | [ port ] ) [ + key ]; ... }; // may occur multiple times options { acache-cleaning-interval ; @@ -85,7 +89,8 @@ options { check-integrity ; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); - check-names ( master | slave | response ) ( fail | warn | ignore ); + check-names ( master | slave | response + ) ( fail | warn | ignore ); // may occur multiple times check-sibling ; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); @@ -101,8 +106,9 @@ options { ; ... } ]; dialup ( notify | notify-passive | refresh | passive | ); directory ; - disable-algorithms { ; ... }; - disable-empty-zone ; + disable-algorithms { ; + ... }; // may occur multiple times + disable-empty-zone ; // may occur multiple times dns64 { break-dnssec ; clients { ; ... }; @@ -110,15 +116,16 @@ options { mapped { ; ... }; recursive-only ; suffix ; - }; + }; // may occur multiple times dns64-contact ; dns64-server ; dnssec-accept-expired ; dnssec-dnskey-kskonly ; dnssec-enable ; dnssec-loadkeys-interval ; - dnssec-lookaside ( trust-anchor | auto | no ); - dnssec-must-be-secure ; + dnssec-lookaside ( trust-anchor + | auto | no ); // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -153,8 +160,10 @@ options { ixfr-from-differences ( master | slave | ); key-directory ; lame-ttl ; - listen-on [ port ] { ; ... }; - listen-on-v6 [ port ] { ; ... }; + listen-on [ port ] { + ; ... }; // may occur multiple times + listen-on-v6 [ port ] { + ; ... }; // may occur multiple times maintain-ixfr-base ; // obsolete managed-keys-directory ; masterfile-format ( text | raw ); @@ -166,6 +175,7 @@ options { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ; max-ncache-ttl ; + max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; @@ -280,14 +290,17 @@ server { transfer-source ( | * ) [ port ( | * ) ]; transfer-source-v6 ( | * ) [ port ( | * ) ]; transfers ; -}; +}; // may occur multiple times statistics-channels { - inet ( | | * ) [ port ( | * - ) ] [ allow { ; ... } ]; -}; + inet ( | | + * ) [ port ( | * ) ] [ + allow { ; ... + } ]; // may occur multiple times +}; // may occur multiple times -trusted-keys { ; ... }; +trusted-keys { + ; ... }; // may occur multiple times view [ ] { acache-cleaning-interval ; @@ -320,7 +333,8 @@ view [ ] { check-integrity ; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); - check-names ( master | slave | response ) ( fail | warn | ignore ); + check-names ( master | slave | response + ) ( fail | warn | ignore ); // may occur multiple times check-sibling ; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); @@ -332,8 +346,9 @@ view [ ] { deny-answer-aliases { ; ... } [ except-from { ; ... } ]; dialup ( notify | notify-passive | refresh | passive | ); - disable-algorithms { ; ... }; - disable-empty-zone ; + disable-algorithms { ; + ... }; // may occur multiple times + disable-empty-zone ; // may occur multiple times dlz { database ; }; @@ -344,15 +359,16 @@ view [ ] { mapped { ; ... }; recursive-only ; suffix ; - }; + }; // may occur multiple times dns64-contact ; dns64-server ; dnssec-accept-expired ; dnssec-dnskey-kskonly ; dnssec-enable ; dnssec-loadkeys-interval ; - dnssec-lookaside ( trust-anchor | auto | no ); - dnssec-must-be-secure ; + dnssec-lookaside ( trust-anchor + | auto | no ); // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -378,12 +394,13 @@ view [ ] { key { algorithm ; secret ; - }; + }; // may occur multiple times key-directory ; lame-ttl ; maintain-ixfr-base ; // obsolete - managed-keys { - ; ... }; + managed-keys { + + ; ... }; // may occur multiple times masterfile-format ( text | raw ); match-clients { ; ... }; match-destinations { ; ... }; @@ -395,6 +412,7 @@ view [ ] { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ; max-ncache-ttl ; + max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; @@ -457,7 +475,7 @@ view [ ] { transfer-source-v6 ( | * ) [ port ( | * ) ]; transfers ; - }; + }; // may occur multiple times sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; @@ -468,8 +486,9 @@ view [ ] { transfer-format ( many-answers | one-answer ); transfer-source ( | * ) [ port ( | * ) ]; transfer-source-v6 ( | * ) [ port ( | * ) ]; - trusted-keys { - ; ... }; + trusted-keys { + ; + ... }; // may occur multiple times try-tcp-refresh ; update-check-ksk ; use-alt-transfer-source ; @@ -526,6 +545,7 @@ view [ ] { max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ; + max-records ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; @@ -543,8 +563,10 @@ view [ ] { | * ) ]; notify-to-soa ; nsec3-test-zone ; // test only - pubkey - ; // obsolete + pubkey + + + ; // obsolete, may occur multiple times request-ixfr ; serial-update-method ( increment | unixtime ); server-addresses { ( | ) [ @@ -570,9 +592,9 @@ view [ ] { use-alt-transfer-source ; zero-no-soa-ttl ; zone-statistics ( full | terse | none | ); - }; + }; // may occur multiple times zone-statistics ( full | terse | none | ); -}; +}; // may occur multiple times zone [ ] { allow-notify { ; ... }; @@ -621,6 +643,7 @@ zone [ ] { ]; ... }; max-ixfr-log-size ( unlimited | default | ); // obsolete max-journal-size ; + max-records ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; @@ -636,7 +659,8 @@ zone [ ] { notify-source-v6 ( | * ) [ port ( | * ) ]; notify-to-soa ; nsec3-test-zone ; // test only - pubkey ; // obsolete + pubkey + ; // obsolete, may occur multiple times request-ixfr ; serial-update-method ( increment | unixtime ); server-addresses { ( | ) [ port @@ -659,5 +683,5 @@ zone [ ] { use-alt-transfer-source ; zero-no-soa-ttl ; zone-statistics ( full | terse | none | ); -}; +}; // may occur multiple times