1174953 – bind: Rate Limiting (DNS RRL) patch is not documented in Red Hat Enterprise Linux 6 manual pages

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1174953 - bind: Rate Limiting (DNS RRL) patch is not documented in Red Hat Enterprise Linux 6 manual pages

Summary: bind: Rate Limiting (DNS RRL) patch is not documented in Red Hat Enterprise L...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	bind
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomáš Hozza
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:	http://www.redbarn.org/dns/ratelimits
Whiteboard:
Depends On:	873624
Blocks:	906312
TreeView+	depends on / blocked

Reported:	2014-12-16 20:29 UTC by Bryan Totty
Modified:	2018-12-09 19:21 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	873624
Environment:
Last Closed:	2015-03-09 07:28:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Bryan Totty 2014-12-16 20:32:56 UTC

There is no documentation of the added rate-limit parameter in the named.conf manual page.

# man named.conf

Or in

# man named


However, there are some hits at:

# grep -ir "rate limit" /usr/share/doc/bind-9.8.2/
/usr/share/doc/bind-9.8.2/CHANGES:2026.	[bug]		Rate limit the two recursive client exceeded messages.
/usr/share/doc/bind-9.8.2/CHANGES:1341.	[func]		Allow a rate limiter to be stalled.
/usr/share/doc/bind-9.8.2/CHANGES:			rate limiting of the transmitted messages.
/usr/share/doc/bind-9.8.2/CHANGES:			be rate limited so as to not use up all file
/usr/share/doc/bind-9.8.2/CHANGES:  99.	[cleanup]	Rate limiter now has separate shutdown() and
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:		      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:         <title>Rate Limiting</title>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate limit responses is set with <command>max-table-size</command>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Use <command>log-only yes</command> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:			Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:			Responses truncated by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:		      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:         <title>Rate Limiting</title>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate limit responses is set with <command>max-table-size</command>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Use <command>log-only yes</command> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:			Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:			Responses truncated by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      rate limiting of a stream of responses are logged at
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      minute after rate limit stops.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                      Rate limiting of individual requests
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<div class="sect3" title="Rate Limiting">
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:<a name="idp2308624"></a>Rate Limiting</h4></div></div></div>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting works by setting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting uses a "credit" or "token bucket" scheme.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Rate limiting prevents the use of BIND 9 to flood a network
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           or sends no rate limiting truncated responses.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limiting by putting
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           DNS clients within a view can be exempted from rate limits
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           This rate limiting is unlike the rate limiting provided by
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limiting offered by firewalls but often inferior.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           but that rate limiting must be done before the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Responses dropped by rate limits are included in the
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Responses that truncated by rate limits are included in
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                        Responses dropped by rate limits.
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                        Responses truncated by rate limits.

# grep -ir "rate-limit" /usr/share/doc/bind-9.8.2/
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:                    <para><command>rate-limit</command></para>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:    <optional> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           <command>rate-limit</command> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           <command>rate-limit</command> statements in <command>view</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           A <command>rate-limit</command> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           instead of being merged with a <command>rate-limit</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml:           Enable <command>rate-limit</command> category logging to monitor
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:                    <para><command>rate-limit</command></para>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:    <optional> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           <command>rate-limit</command> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           <command>rate-limit</command> statements in <command>view</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           A <command>rate-limit</command> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           instead of being merged with a <command>rate-limit</command>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml.CVE-2014-8500:           Enable <command>rate-limit</command> category logging to monitor
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:                    <p><span class="command"><strong>rate-limit</strong></span></p>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:    [<span class="optional"> rate-limit {
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           <span class="command"><strong>rate-limit</strong></span> clause in an
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate-limited responses to legitimate
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           rate-limiting in a view or to only rate-limit NXDOMAIN or other
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           instead of being merged with a <span class="command"><strong>rate-limit</strong></span>
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html:           Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor

Comment 2 Tomáš Hozza 2014-12-17 07:53:51 UTC

Removing ZStream keyword and PMApproves, as this is from the cloned bug.

Comment 3 Tomáš Hozza 2015-01-19 14:31:33 UTC

The RRL functionality is documented in the ARM ~ Administrator Reference Manual. 

Adding the option to named.conf man page will not make it more or better documented. Also upstream man page does not include the rate-limit option. Is adding the option to named.conf man page really necessary?

Comment 4 Tomáš Hozza 2015-01-28 09:39:53 UTC

Ping reporter...

Comment 6 Tomáš Hozza 2015-02-16 14:52:56 UTC

Thank you for your response.

I understand that RRL is not that simple and that is the main reason why it is documented in the ARM. You can always refer to the upstream ARM [1] or point customers to the documentation installed with bind package.

example on RHEL-6:
# rpm -qd bind | grep ARM
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch01.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch02.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch03.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch04.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch05.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch07.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch08.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch09.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch10.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.pdf

The Rate Limiting is documented in the /usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html file. Please verify that it covers your needs. To make
it more clear for customers, maybe some KB article would be a good idea.


[1] http://ftp.isc.org/isc/bind9/9.10.2rc1/doc/arm/Bv9ARM.ch06.html

Comment 7 Bryan Totty 2015-03-07 14:55:04 UTC

I have added this mention to our article available at: 
https://access.redhat.com/solutions/1260543

Note You need to log in before you can comment on or make changes to this bug.