size limit for incoming zone transfer

There was a request to add a knob which would control maximal allowed size of incoming zone transfer. We may also put some limitation upon the transfer time.

This feature is important for slave server operators.

@dsalzman, Do you think the knob should be part of zone/template configuration or ACL?

I would extend the zone/template section. ACLs are evaluated at the beginning of the transfer. The more interesting question is how to deal with IXFR :-)

I agree.

As for IXFR, we can sum the size of the updates in IXFR and refuse

1. immediately when the size of the update exceeds the limit, or
2. after the transfer when the new zone exceeds the limit.

Theoretically, this would allow the client to exceed the limit (about one time) for a while. I don't have a better idea now.

2. would still allow DoSing the server

@ondrej How if 1) holds and the limit is set reasonably?

Ah, in that case that's ok. But you need - limiting the size of incoming transfer (to prevent simple resource exhaustion), limiting the time to prevent slow-drip attacks and limit the final zone size (to prevent IXFR-style incremental attacks).

What I worry most is the size of the final zone. I think the new zone is not constructed on the fly during the transfer, but after a complete transfer is received. This wouldn't be easy to change. Honestly, I would prefer better solution for IXFR.

mentioned in merge request !541 (merged)

The ability for the master to send an unlimited zone file and to kill the slave has been publically documented here https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html and there is a proof of concept https://github.com/sischkg/xfer-limit (with a proposed patch for Knot (I did not check if merge request 541 is the same)

IMHO, this bug should be moved from "feature" to "security".

For the record, this is apparently CVE-2016-6171

Added ~23 security labels

Added ~30 bug ~48 and removed feature labels

mentioned in merge request !549 (merged)

Status changed to closed by commit a88620a9

mentioned in commit a88620a9

mentioned in commit c204b7f4