BIND9 RL and RPZ Patches

BIND9 RRL and RPZ Patches

The May 11, 2013, version of these patches

treat all NODATA or empty responses for a query name the same regardless of query type.
add "referrals-per-second" and "nodata-per-second" configuration parameters.
fix a bug of not counting dropped error responses in RRL statistics.
fix a bug of not limiting referrals on recursive servers to "." before the hints are loaded or with "additional-from-cache no"

The April 4, 2013, version of these patches fixes "rate-limt{slip 1;};" to always send truncated (TC=1) responses and never drop responses. The default "slip 2;" is a better choice, because it drops every other response in a flood.

Since the last February, 2013, version of these patches:

Two patches for BIND 9.7.6-P4 and BIND 9.7.7 containing only Response Rate LIMITING (RRL) have been added. No response policy rewriting is available for those old versions of BIND 9.
Some RRL bugs have been fixed including an assertion botch on HPUX.

Since the 028.23 versions of the Multiple Zone Response Policy Zone (RPZ2) patches, the qname-wait-recurse option has been added. It can significantly speed up a DNS server. See the changed text for the RPZ section of the BIND Administrators Reference Manual (ARM).

Since a previous version of these patches:

A serious Multiple Zone Response Policy Zone (RPZ2) Speed Improvement bug has been fixed.
`./configure --enable-rpz-nsip --enable-rpz-nsdname` is now the default.
Responses affected by the all-per-second parameter are always dropped. The slip value has no effect on them.
There are improved log messages for responses that are dropped or "slipped," because they would require an excessive identical referral.

Apply (and only one) of these patches to a recent version of BIND9 on a UNIX-like system by:

Download the chosen version of BIND9 source and corresponding patch file.
Unpack the BIND9 source and run `patch -s -p0 -i FILE.patch` in the top directory of the BIND9 source.
Build and install the patched BIND9.

After one of the patches has been installed, `named -v` and `dig +short chaos version.bind txt` display the version string corresponding to a file name listed below.

Single Zone Response Policy Zone (RPZ) Speed Improvement with RRL

BIND9 9.9.2-P2: file rpz+rl-9.9.2-P2.patch, version 9.9.2-rpz+rl.131.14-P2
BIND9 9.9.2-P1: file rpz+rl-9.9.2-P1.patch, version 9.9.2-rpz+rl.131.14-P1
BIND9 9.9.3rc2: file rpz+rl-9.9.3rc2.patch, version 9.9.3rc2-rpz+rl.131.14
BIND9 9.8.4-P2: file rpz+rl-9.8.4-P2.patch, version 9.8.4-rpz+rl.131.14-P2
BIND9 9.8.4-P1: file rpz+rl-9.8.4-P1.patch, version 9.8.4-rpz+rl.131.14-P1
BIND9 9.8.5rc2: file rpz+rl-9.8.5rc2.patch, version 9.8.5rc2-rpz+rl.131.14

These patches improve response policy rpz-nsip and rpz-nsdame performance. A new parameter min-ns-dots specifies the minimum number of dots in NS records which will receive NSIP and NSDNAME rpz checks.

For example, www.domain.com has one IP address and three DNS servers, ns1.domain.com, ns2.domain.com, and ns3.domain.com. There are a total of 3 IP records for those {ns1,ns2,ns3}.domain.com. There are 13 NS records for com, the next domain in the authority chain. There are 15 IP address for those those 13 gTLD NS records.

When BIND is built with the --enable-rpz-nsip or --enable-rpz-nsdname options on the "configure" command line, and when configured response-policy{} zones include rpz-nsip and rpz-ip records, the three NS domain names, {ns1,ns2,ns3}.domain, and their three IP address must looked up in the policy zones after www.domain.com and its IP address. With min-ns-dots set to its default of 1 in this new version, the rpz checks stop after checking those 7 names and addresses.

In the previous version or in this version with min-ns-dots set to 0, the 13 names and 15 address for the gTLD servers must also be checked. Those additional 28 checks cost significant resources, but are rarely desired or useful.

Rewritten responses are counted in the global and per-zone RPZRewrites statistics

There is changed text for the RPZ section of the BIND Administrators Reference Manual (ARM) describing the syntax of the new min-ns-dots parameter.

These patches include the rate limit patches listed below.

Please report RPZ problems to Paul Vixie, Vernon Schyrver, or the dnsrpz-interest mailing list.

Multiple Zone Response Policy Zone (RPZ2) Speed Improvement with RRL

BIND9 9.9.2-P2: file rpz2+rl-9.9.2-P2.patch, version 9.9.2-rpz2+rl.131.14-P2
BIND9 9.9.2-P1: file rpz2+rl-9.9.2-P1.patch, version 9.9.2-rpz2+rl.131.14-P1
BIND9 9.9.3rc2: file rpz2+rl-9.9.3rc2.patch, version 9.9.3rc2-rpz2+rl.131.14
BIND9 9.8.4-P2: file rpz2+rl-9.8.4-P2.patch, version 9.8.4-rpz2+rl.131.14-P2
BIND9 9.8.4-P1: file rpz2+rl-9.8.4-P1.patch, version 9.8.4-rpz2+rl.131.14-P1
BIND9 9.8.5rc2: file rpz2+rl-9.8.5rc2.patch, version 9.8.5rc2-rpz2+rl.131.14

These patches contain large internal changes in addition to the new min-ns-dot parameter and RPZRewrites statistics described above. The current versions of these patches fix bugs related to rndc reload in previous versions.

When two or more policy zones are configured, a database summarizing all configured policy zones is consulted to determine which if any policy zone has a policy triggered by a name or address. The result is a significant speed improvement on systems using several policy zones.

Because the changes in these patches are substantial, there is more danger that they contain bugs. There can be no promise about when features of either of these RPZ patches will appear in official BIND9 releases. A guess is that the single zone speed improvements might be officially released before the larger multiple zone changes. We are releasing these patches to collect bug reports.

The same changed text for the RPZ section of the BIND Administrators Reference Manual (ARM) applies to these patches.

These patches include the rate limit patches listed below.

Please report RPZ problems to Paul Vixie, Vernon Schyrver, or the dnsrpz-interest mailing list.

Response Rate Limiting (RRL) Patches

The patches above contain the January 8, 2013 version of the BIND9 Response Rate Limiting (RRL) code. They correct an error in the previous version of the BIND9 RRL patch reported by Irwin Tillman. They also include the single zone or the multiple zone RPZ change described above.

There is text for the BIND Administrators Reference Manual (ARM) describing the response-policy statement.

Please report RRL problems to Paul Vixie, Vernon Schyrver, or the ratelimits mailing list.

Separate Single Zone Response Policy Zone (RPZ) Speed Improvement Patches

BIND9 9.9.2-P2: file rpz-9.9.2-P2.patch, version 9.9.2-rpz.094.21-P2
BIND9 9.9.2-P1: file rpz-9.9.2-P1.patch, version 9.9.2-rpz.094.21-P1
BIND9 9.9.3rc2: contains the single zone RPZ speed improvements
BIND9 9.8.4-P2: file rpz-9.8.4-P2.patch, version 9.8.4-rpz.094.21-P2
BIND9 9.8.4-P1: file rpz-9.8.4-P1.patch, version 9.8.4-rpz.094.21-P1
BIND9 9.8.5rc2: contains the single zone RPZ speed improvements

Each of these patches is half of the corresponding recommended Single Zone Response Policy Zone Speed Improvement patch above. The combined RPZ speed improvement and RRL patches are recommended, because these separate patches conflict with the separate RRL patches. DO NOT attempt to install one of these patches before or after one of the separate RPZ speed improvement patches unless you are prepared to merge their conflicting changes.

Separate Multiple Zone Response Policy Zone (RPZ2) Speed Improvement Patches

BIND9 9.9.2-P2: file rpz2-9.9.2-P2.patch, version 9.9.2-rpz2.094.21-P2
BIND9 9.9.2-P1: file rpz2-9.9.2-P1.patch, version 9.9.2-rpz2.094.21-P1
BIND9 9.9.3rc2: file rpz2-9.9.3rc2.patch, version 9.9.3rc2-rpz2.105.03
BIND9 9.8.4-P2: file rpz2-9.8.4-P2.patch, version 9.8.4-rpz2.094.21-P2
BIND9 9.8.4-P1: file rpz2-9.8.4-P1.patch, version 9.8.4-rpz2.094.21-P1
BIND9 9.8.5rc2: file rpz2-9.8.5rc2.patch, version 9.8.5rc2-rpz2.105.03

Each of these patches is half of the corresponding recommended Multiple Zone Response Policy Zone Speed Improvement patch above. The combined RPZ speed improvement and RRL patches are recommended, because these patches separate conflict with the separate RRL patches. DO NOT attempt to install one of these patches before or after one of the separate RPZ speed improvement patches unless you are prepared to merge their conflicting changes.

Separate Response Rate Limiting (RRL) Patches

BIND9 9.9.2-P2: file rl-9.9.2-P2.patch, version 9.9.2-rl.131.14-P2
BIND9 9.9.2-P1: file rl-9.9.2-P1.patch, version 9.9.2-rl.131.14-P1
BIND9 9.9.3rc2: file rl-9.9.3rc2.patch, version 9.9.3rc2-rl.131.14
BIND9 9.8.4-P2: file rl-9.8.4-P2.patch, version 9.8.4-rl.131.14-P2
BIND9 9.8.4-P1: file rl-9.8.4-P1.patch, version 9.8.4-rl.131.14-P1
BIND9 9.8.5rc2: file rl-9.8.5rc2.patch, version 9.8.5rc2-rl.131.14
BIND9 9.7.7: file rl-9.7.7.patch, version 9.7.7-rl.131.14
BIND9 9.7.6-P4: file rl-9.7.6-P4.patch, version 9.7.6-P4-rl.131.14

Each of these patches is half of a corresponding recommended Single Zone Response Policy Zone Speed Improvement or Multiple Zone Response Policy Zone Speed Improvement patch. The combined RPZ speed improvement and RRL patches are recommended, because these separate patches conflict with the separate RPZ patches. DO NOT attempt to install one of these patches before or after one of the separate RPZ speed improvement patches unless you are prepared to merge their conflicting changes.

Please report problems with this web page to Vernon Schyrver.