We just ran the latest updates for Debian Buster on one of our DNS servers running bind9 and one of the slave domains is failing with this message:
Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records
There are about 1,400 records in that domain which has never posed a problem in the past.

We have tried force transfers, purging journal files and nothing seems to work. We rolled back the update to one performed earlier in the month and now everything is working.
Anybody have any idea what is going on with this latest update?

Thanks,
Brian

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false">We just ran the latest updates for Debian Buster on one of our DNS servers running
bind9 and one of the slave domains is failing with this message:</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><span>Aug&nbsp; 2 07:05:20 &lt;hostname&gt; named[76759]: transfer of '&lt;domain name&gt;/IN' from &lt;
ip address&gt;#53: Transfer status: too many records</span></div><div dir="ltr" data-setdir="false"><span><br></span></div><div dir="ltr" data-setdir="false"><span>There are about 1,400 records in that domain which has never posed a problem in the past.<

</span></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">We have tried force transfers, purging journal files and nothing seems to work.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="

false">We rolled back the update to one performed earlier in the month and now everything is working.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Anybody have any idea what is going on with this latest update?</

<div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Thanks,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Brian<br></div></div></body></

html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 02/08/2024 10:10, Brian wrote:

We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this message:

Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN'
from <ip address>#53: Transfer status: too many records

There are about 1,400 records in that domain which has never posed a
problem in the past.

We have tried force transfers, purging journal files and nothing seems
to work.

We rolled back the update to one performed earlier in the month and now everything is working.

Anybody have any idea what is going on with this latest update?

Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html
(even if it does not directly apply to buster).

--
O mesmo dever que prende o servo ao soberano prende ao
marido a mulher.
-- William Shakespeare

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, August 2, 2024 at 09:16:10 AM EDT, Eduardo M KALINOWSKI <eduardo@kalinowski.com.br> wrote:

On 02/08/2024 10:10, Brian wrote:

We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this message:

Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records

There are about 1,400 records in that domain which has never posed a
problem in the past.

We have tried force transfers, purging journal files and nothing seems
to work.

We rolled back the update to one performed earlier in the month and now everything is working.

Anybody have any idea what is going on with this latest update?

Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html
(even if it does not directly apply to buster).

--
    O mesmo dever que prende o servo ao soberano prende ao
    marido a mulher.
        --  William Shakespeare

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br


Thanks, I will check into that over the weekend and report back.


<html><head></head><body><div class="ydp497c303ayahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div><br></div><div><br></div>

</div><div id="ydped2022d5yahoo_quoted_2846576678" class="ydped2022d5yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">

<div>
On Friday, August 2, 2024 at 09:16:10 AM EDT, Eduardo M KALINOWSKI &lt;eduardo@kalinowski.com.br&gt; wrote:
</div>
<div><br></div>
<div><br></div>


<div><div dir="lt

On Fri, Aug 02, 2024 at 10:15:38AM -0300, Eduardo M KALINOWSKI wrote:

On 02/08/2024 10:10, Brian wrote:

We just ran the latest updates for Debian Buster on one of our DNS
servers running bind9 and one of the slave domains is failing with this message:

Aug  2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records

There are about 1,400 records in that domain which has never posed a problem in the past.

We have tried force transfers, purging journal files and nothing seems
to work.

We rolled back the update to one performed earlier in the month and now everything is working.

Anybody have any idea what is going on with this latest update?

Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
if it does not directly apply to buster).

That seems unlikely, as the bind9 package in buster have not yet been
updated to fix the CVEs referenced in that particular DSA.

Brian, can you provide more details about what specific packages were
updated and from what version to what version? You can find that
information in /var/log/dpkg.log*.

Regards,

-Roberto

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 02/08/2024 10:44, Roberto C. Sánchez wrote:

On Fri, Aug 02, 2024 at 10:15:38AM -0300, Eduardo M KALINOWSKI wrote:

Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also
https://lists.debian.org/debian-security-announce/2024/msg00145.html (even >> if it does not directly apply to buster).

That seems unlikely, as the bind9 package in buster have not yet been
updated to fix the CVEs referenced in that particular DSA.

Brian, can you provide more details about what specific packages were
updated and from what version to what version? You can find that
information in /var/log/dpkg.log*.

buster has a new upstream version 9.20.0, which includes the new
configuration options, and a default limit of 100 for each when they're
not set (according the the first link).

--
All your files have been destroyed (sorry). Paul.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Aug 02, 2024 at 10:55:55AM -0300, Eduardo M KALINOWSKI wrote:

On 02/08/2024 10:44, Roberto C. Sánchez wrote:

On Fri, Aug 02, 2024 at 10:15:38AM -0300, Eduardo M KALINOWSKI wrote:

Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?

See also https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
if it does not directly apply to buster).

That seems unlikely, as the bind9 package in buster have not yet been updated to fix the CVEs referenced in that particular DSA.

Brian, can you provide more details about what specific packages were updated and from what version to what version? You can find that information in /var/log/dpkg.log*.

buster has a new upstream version 9.20.0, which includes the new configuration options, and a default limit of 100 for each when they're not set (according the the first link).

That new upstream version (9.20.0) is in sid/trixie. Buster has this:

root@build01:/# cat /etc/debian_version
10.13
root@build01:/# apt-cache policy bind9
bind9:
Installed: (none)
Candidate: 1:9.11.5.P4+dfsg-5.1+deb10u11
Version table:
1:9.11.5.P4+dfsg-5.1+deb10u11 500
500 http://security.debian.org buster/updates/main amd64 Packages
1:9.11.5.P4+dfsg-5.1+deb10u7 500
500 http://deb.debian.org/debian buster/main amd64 Packages

This matches what is listed in the PTS [0].

[0] https://tracker.debian.org/pkg/bind9

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Aug 02, 2024 at 10:16:51AM -0400, Jeffrey Walton wrote:

On Fri, Aug 2, 2024 at 9:13 AM Brian <kimhick@yahoo.com> wrote:

We just ran the latest updates for Debian Buster on one of our DNS servers running bind9 and one of the slave domains is failing with this message:

Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records

There are about 1,400 records in that domain which has never posed a problem in the past.

We have tried force transfers, purging journal files and nothing seems to work.

We rolled back the update to one performed earlier in the month and now everything is working.

Anybody have any idea what is going on with this latest update?

I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at <https://lists.debian.org/debian-security/2024/07/msg00003.html>.

Which seems unlikely on a system running buster.

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 02/08/2024 11:35, Roberto C. Sánchez wrote:

That new upstream version (9.20.0) is in sid/trixie. Buster has this:

You're right, I've been once more confused by the lack of any logical
sequence between Debian release codenames.

--
We are the people our parents warned us about.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Aug 02, 2024 at 10:45:21AM -0400, Jeffrey Walton wrote:

On Fri, Aug 2, 2024 at 10:37 AM Roberto C. Sánchez <roberto@debian.org> wrote:

On Fri, Aug 02, 2024 at 10:16:51AM -0400, Jeffrey Walton wrote:

On Fri, Aug 2, 2024 at 9:13 AM Brian <kimhick@yahoo.com> wrote:

We just ran the latest updates for Debian Buster on one of our DNS servers running bind9 and one of the slave domains is failing with this message:

Aug 2 07:05:20 <hostname> named[76759]: transfer of '<domain name>/IN' from <ip address>#53: Transfer status: too many records

There are about 1,400 records in that domain which has never posed a problem in the past.

We have tried force transfers, purging journal files and nothing seems to work.

We rolled back the update to one performed earlier in the month and now everything is working.

Anybody have any idea what is going on with this latest update?

I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at <https://lists.debian.org/debian-security/2024/07/msg00003.html>.

Which seems unlikely on a system running buster.

Maybe I am mis-parsing things, but the backporting to older Debian
versions is discussed, starting with the question, "Would you be
willing to backport the configuration of 9.20 so that companies using
larger record number per name can still use bind9 with security
update?" The first answer appears at <https://lists.debian.org/debian-security/2024/07/msg00004.html>.

I agree that it is discussed as you say. However, that discussion is
about backporting the 9.20 configuration changes to bind9 in *bullseye*,
while the OP in this thread indicated that the problem was is in bind9
on a system running *buster*. The last bind9 update on buster [0] was
uploaded on 2024-05-17, and did not involve the 9.20 configuration
changes. So, the OP should be considering what else has changed that may
have caused the observed failure.

Regards,

-Roberto

[0] https://tracker.debian.org/news/1530724/accepted-bind9-19115p4dfsg-51deb10u11-source-into-oldoldstable/

--
Roberto C. Sánchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)