Bug 1174953
| Summary: | bind: Rate Limiting (DNS RRL) patch is not documented in Red Hat Enterprise Linux 6 manual pages | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Bryan Totty <btotty> |
| Component: | bind | Assignee: | Tomáš Hozza <thozza> |
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.6 | CC: | btotty, chorn, jlieskov, kevin, noah.robin, ovasik, qe-baseos-daemons, thozza, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://www.redbarn.org/dns/ratelimits | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 873624 | Environment: | |
| Last Closed: | 2015-03-09 07:28:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 873624 | ||
| Bug Blocks: | 906312 | ||
Removing ZStream keyword and PMApproves, as this is from the cloned bug. The RRL functionality is documented in the ARM ~ Administrator Reference Manual. Adding the option to named.conf man page will not make it more or better documented. Also upstream man page does not include the rate-limit option. Is adding the option to named.conf man page really necessary? Ping reporter... Thank you for your response. I understand that RRL is not that simple and that is the main reason why it is documented in the ARM. You can always refer to the upstream ARM [1] or point customers to the documentation installed with bind package. example on RHEL-6: # rpm -qd bind | grep ARM /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch01.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch02.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch03.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch04.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch05.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch07.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch08.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch09.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch10.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.html /usr/share/doc/bind-9.8.2/arm/Bv9ARM.pdf The Rate Limiting is documented in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html file. Please verify that it covers your needs. To make it more clear for customers, maybe some KB article would be a good idea. [1] http://ftp.isc.org/isc/bind9/9.10.2rc1/doc/arm/Bv9ARM.ch06.html I have added this mention to our article available at: https://access.redhat.com/solutions/1260543 |
There is no documentation of the added rate-limit parameter in the named.conf manual page. # man named.conf Or in # man named However, there are some hits at: # grep -ir "rate limit" /usr/share/doc/bind-9.8.2/ /usr/share/doc/bind-9.8.2/CHANGES:2026. [bug] Rate limit the two recursive client exceeded messages. /usr/share/doc/bind-9.8.2/CHANGES:1341. [func] Allow a rate limiter to be stalled. /usr/share/doc/bind-9.8.2/CHANGES: rate limiting of the transmitted messages. /usr/share/doc/bind-9.8.2/CHANGES: be rate limited so as to not use up all file /usr/share/doc/bind-9.8.2/CHANGES: 99. [cleanup] Rate limiter now has separate shutdown() and /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate limiting of a stream of responses are logged at /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: minute after rate limit stops. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Rate limiting of individual requests /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: <title>Rate Limiting</title> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Rate limiting works by setting /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Rate limiting uses a "credit" or "token bucket" scheme. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Rate limiting prevents the use of BIND 9 to flood a network /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: or sends no rate limiting truncated responses. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate limiting by putting /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: DNS clients within a view can be exempted from rate limits /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: This rate limiting is unlike the rate limiting provided by /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate limiting offered by firewalls but often inferior. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: but that rate limiting must be done before the /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate limit responses is set with <command>max-table-size</command>. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Use <command>log-only yes</command> to test rate limiting parameters /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Responses dropped by rate limits are included in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Responses that truncated by rate limits are included in /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Responses dropped by rate limits. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Responses truncated by rate limits. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate limiting of a stream of responses are logged at /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: minute after rate limit stops. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Rate limiting of individual requests /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: <title>Rate Limiting</title> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Rate limiting works by setting /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Rate limiting uses a "credit" or "token bucket" scheme. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Rate limiting prevents the use of BIND 9 to flood a network /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: or sends no rate limiting truncated responses. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate limiting by putting /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: DNS clients within a view can be exempted from rate limits /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: This rate limiting is unlike the rate limiting provided by /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate limiting offered by firewalls but often inferior. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: but that rate limiting must be done before the /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate limit responses is set with <command>max-table-size</command>. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Use <command>log-only yes</command> to test rate limiting parameters /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Responses dropped by rate limits are included in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Responses that truncated by rate limits are included in /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Responses dropped by rate limits. /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Responses truncated by rate limits. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate limiting of a stream of responses are logged at /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: minute after rate limit stops. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Rate limiting of individual requests /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<div class="sect3" title="Rate Limiting"> /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<a name="idp2308624"></a>Rate Limiting</h4></div></div></div> /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Rate limiting works by setting /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Rate limiting uses a "credit" or "token bucket" scheme. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Rate limiting prevents the use of BIND 9 to flood a network /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: or sends no rate limiting truncated responses. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate limiting by putting /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: DNS clients within a view can be exempted from rate limits /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: This rate limiting is unlike the rate limiting provided by /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate limiting offered by firewalls but often inferior. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: but that rate limiting must be done before the /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Responses dropped by rate limits are included in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Responses that truncated by rate limits are included in /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Responses dropped by rate limits. /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Responses truncated by rate limits. # grep -ir "rate-limit" /usr/share/doc/bind-9.8.2/ /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: <para><command>rate-limit</command></para> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: <optional> rate-limit { /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: <command>rate-limit</command> clause in an /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate-limited responses to legitimate /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: rate-limiting in a view or to only rate-limit NXDOMAIN or other /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: <command>rate-limit</command> statements in <command>view</command> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: A <command>rate-limit</command> statement in a view replaces /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: instead of being merged with a <command>rate-limit</command> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml: Enable <command>rate-limit</command> category logging to monitor /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: <para><command>rate-limit</command></para> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: <optional> rate-limit { /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: <command>rate-limit</command> clause in an /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate-limited responses to legitimate /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: rate-limiting in a view or to only rate-limit NXDOMAIN or other /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: <command>rate-limit</command> statements in <command>view</command> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: A <command>rate-limit</command> statement in a view replaces /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: instead of being merged with a <command>rate-limit</command> /usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500: Enable <command>rate-limit</command> category logging to monitor /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: <p><span class="command"><strong>rate-limit</strong></span></p> /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: [<span class="optional"> rate-limit { /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: <span class="command"><strong>rate-limit</strong></span> clause in an /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate-limited responses to legitimate /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: rate-limiting in a view or to only rate-limit NXDOMAIN or other /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span> /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: instead of being merged with a <span class="command"><strong>rate-limit</strong></span> /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html: Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor