[Bug 1288823] [NEW] Trusty bind9 RRL

Steve Risteter stever at corp.ptd.net
Thu Mar 6 15:40:30 UTC 2014 

Public bug reported:

It would be nice if the bind9 package for trusty included the --enable-
rrl option to mitigate DNS amplification attacks and other DOS style
attacks. ISC has already included this in the upstream code and the
--enable-rrl option needs to be added to the configure statement.


https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-
Rate-Limiting.html

adding the following to /etc/bind/named.conf.options results in an error

        rate-limit {
                responses-per-second 5;
                log-only yes;
        };

Mar  6 07:28:56 ubuntu named[23914]: loading configuration from '/etc/bind/named.conf'
Mar  6 07:28:56 ubuntu named[23914]: /etc/bind/named.conf.options:26: unknown option 'rate-limit'
Mar  6 07:28:56 ubuntu named[23914]: loading configuration: failure
Mar  6 07:28:56 ubuntu named[23914]: exiting (due to fatal error)


Checking named -v does not show the enable-rrl option
root at ubuntu:/etc/bind# named -V
BIND 9.9.5-2-Ubuntu (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
compiled by GCC 4.8.2
using OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
using libxml2 version: 2.9.1

** Affects: bind9 (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "Patch to modify debian/rules to enable rrl"
   https://bugs.launchpad.net/bugs/1288823/+attachment/4009933/+files/enable-rrl.diff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.
https://bugs.launchpad.net/bugs/1288823

Title:
  Trusty bind9 RRL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1288823/+subscriptions

More information about the Ubuntu-server-bugs mailing list