Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1174953

Summary: bind: Rate Limiting (DNS RRL) patch is not documented in Red Hat Enterprise Linux 6 manual pages
Product: Red Hat Enterprise Linux 6 Reporter: Bryan Totty <btotty>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: btotty, chorn, jlieskov, kevin, noah.robin, ovasik, qe-baseos-daemons, thozza, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.redbarn.org/dns/ratelimits
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 873624 Environment:
Last Closed: 2015-03-09 07:28:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 873624    
Bug Blocks: 906312    

Comment 1 Bryan Totty 2014-12-16 20:32:56 UTC 
There is no documentation of the added rate-limit parameter in the named.conf manual page.

# man named.conf

Or in

# man named


However, there are some hits at:

# grep -ir "rate limit" /usr/share/doc/bind-9.8.2/
/usr/share/doc/bind-9.8.2/CHANGES:2026.	[bug]		Rate limit the two recursive client exceeded messages.
/usr/share/doc/bind-9.8.2/CHANGES:1341.	[func]		Allow a rate limiter to be stalled.
/usr/share/doc/bind-9.8.2/CHANGES:			rate limiting of the transmitted messages.
/usr/share/doc/bind-9.8.2/CHANGES:			be rate limited so as to not use up all file
/usr/share/doc/bind-9.8.2/CHANGES:  99.	[cleanup]	Rate limiter now has separate shutdown() and
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:         <title>Rate Limiting</title>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limit responses is set with <command>max-table-size</command>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Use <command>log-only yes</command> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:			Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:			Responses truncated by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:         <title>Rate Limiting</title>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limit responses is set with <command>max-table-size</command>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Use <command>log-only yes</command> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:			Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:			Responses truncated by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<div class="sect3" title="Rate Limiting">
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<a name="idp2308624"></a>Rate Limiting</h4></div></div></div>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                        Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                        Responses truncated by rate limits.

# grep -ir "rate-limit" /usr/share/doc/bind-9.8.2/
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:                    <para><command>rate-limit</command></para>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:    <optional> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           <command>rate-limit</command> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           <command>rate-limit</command> statements in <command>view</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           A <command>rate-limit</command> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           instead of being merged with a <command>rate-limit</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Enable <command>rate-limit</command> category logging to monitor
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:                    <para><command>rate-limit</command></para>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:    <optional> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           <command>rate-limit</command> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           <command>rate-limit</command> statements in <command>view</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           A <command>rate-limit</command> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           instead of being merged with a <command>rate-limit</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Enable <command>rate-limit</command> category logging to monitor
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                    <p><span class="command"><strong>rate-limit</strong></span></p>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:    [<span class="optional"> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           <span class="command"><strong>rate-limit</strong></span> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           instead of being merged with a <span class="command"><strong>rate-limit</strong></span>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor
Comment 2 Tomáš Hozza 2014-12-17 07:53:51 UTC 
Removing ZStream keyword and PMApproves, as this is from the cloned bug.
Comment 3 Tomáš Hozza 2015-01-19 14:31:33 UTC 
The RRL functionality is documented in the ARM ~ Administrator Reference Manual. 

Adding the option to named.conf man page will not make it more or better documented. Also upstream man page does not include the rate-limit option. Is adding the option to named.conf man page really necessary?
Comment 4 Tomáš Hozza 2015-01-28 09:39:53 UTC 
Ping reporter...
Comment 6 Tomáš Hozza 2015-02-16 14:52:56 UTC 
Thank you for your response.

I understand that RRL is not that simple and that is the main reason why it is documented in the ARM. You can always refer to the upstream ARM [1] or point customers to the documentation installed with bind package.

example on RHEL-6:
# rpm -qd bind | grep ARM
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch01.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch02.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch03.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch04.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch05.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch07.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch08.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch09.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch10.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.pdf

The Rate Limiting is documented in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html file. Please verify that it covers your needs. To make
it more clear for customers, maybe some KB article would be a good idea.


[1] http://ftp.isc.org/isc/bind9/9.10.2rc1/doc/arm/Bv9ARM.ch06.html
Comment 7 Bryan Totty 2015-03-07 14:55:04 UTC 
I have added this mention to our article available at: 
https://access.redhat.com/solutions/1260543