Ubuntu
bind9 package

Trusty bind9 RRL

Bug #1288823 reported by Steve Risteter
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
High
Unassigned
Ubuntu ubuntu-14.04-beta-2

Bug Description

It would be nice if the bind9 package for trusty included the --enable-rrl option to mitigate DNS amplification attacks and other DOS style attacks. ISC has already included this in the upstream code and the --enable-rrl option needs to be added to the configure statement.

https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html

adding the following to /etc/bind/named.conf.options results in an error

        rate-limit {
                responses-per-second 5;
                log-only yes;
        };

Mar 6 07:28:56 ubuntu named[23914]: loading configuration from '/etc/bind/named.conf'
Mar 6 07:28:56 ubuntu named[23914]: /etc/bind/named.conf.options:26: unknown option 'rate-limit'
Mar 6 07:28:56 ubuntu named[23914]: loading configuration: failure
Mar 6 07:28:56 ubuntu named[23914]: exiting (due to fatal error)

Checking named -v does not show the enable-rrl option
root@ubuntu:/etc/bind# named -V
BIND 9.9.5-2-Ubuntu (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
compiled by GCC 4.8.2
using OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
using libxml2 version: 2.9.1

Tags: patch

Related branches

lp://staging/debian/bind9
Revision history for this message
Steve Risteter (stever-b) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to modify debian/rules to enable rrl" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This sounds like a reasonable request, but I have a few reservations:

1) Why is this configuration option not default upstream? Does this mean that they don't consider it ready for general default production use, and if this is the case, why should Ubuntu's position be different?

2) Debian doesn't carry this flag. Is it worth Ubuntu diverging from Debian here, or will Debian also be willing to carry this change? I'll ping a Debian bind9 maintainer on IRC after I post this and ask the question, but it would also make sense to file a bug in Debian if you want to do that; I don't see this configure option in Debian's source either.

3) Any security implications that I've not thought of? I'll ping an Ubuntu security team member on IRC after I post this.

4) We're past feature freeze for Trusty. Is this change worthy of an exception?

Changed in bind9 (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

More info on why it's not build with --enable-rrl by defaut:

https://kb.isc.org/article/AA-01058

I have no objection to building it with --enable-rrl, as long as it's not configured by default.

Revision history for this message
Robie Basak (racb) wrote :

Following discussion on IRC:

> 1) Why is this configuration option not default upstream?

For their stable release policy. This doesn't apply to a new Ubuntu release.

> 2) Debian doesn't carry this flag.

It will.

> 3) Any security implications that I've not thought of?

Marc has acked the configuration switch, but not enabling rate limiting in the default config, which I think is fine and is what is being asked for here.

> 4) We're past feature freeze for Trusty.

LaMont says that we've carried a patch for this feature before, so if support is gone, this is actually a regression. Thus I think it's a bugfix, not a feature, and so the freeze doesn't apply.

LaMont said he'd look at this on Sunday for us (thanks!). IRC log will appear here, though it's not updated yet: http://irclogs.ubuntu.com/2014/03/07/%23ubuntu-server.html

Changed in bind9 (Ubuntu):
milestone: none → ubuntu-14.04-beta-2
importance: Wishlist → High
Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :

Given that response rate limiting is considered (short of implementing BCP 38) the recommended
mitigation against the rampant DNS Amplification Attacks it would be foolish to strip Ubuntu LTS users of that tool!

See: https://www.us-cert.gov/ncas/alerts/TA13-088A

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.9.5.dfsg-3

---------------
bind9 (1:9.9.5.dfsg-3) unstable; urgency=low

  * Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823

 -- LaMont Jones <email address hidden> Mon, 24 Mar 2014 06:55:55 -0600

Changed in bind9 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Steve Risteter (stever-b) wrote :

I have updated my Trust beta 1 test machine and Bind9 is working with the RRL, when the config is added.

Thanks to all and I look forward to the new release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.