Multiple rate-limit clauses are unsupported
Summary
When attempting to use multiple rate-limit statements, named states they are unsupported and yet the ARM states they are.
BIND version used
BIND 9.11.3 (Extended Support Version) <id:a375815>
running on Linux x86_64 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' '--enable-sigtrace' '--enable-fetchlimit' '--with-gssapi=yes' '--disable-isc-spnego' '--with-tuning=large' '--with-geoip' '--with-python' '--with-dnstap' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-16)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabledSteps to reproduce
Add multiple rate-limit clauses to the options clause to set different rate-limit policies for different domains.
What is the current bug behavior?
named does not load as it does not support the 'domain' option nor allow rate-limit to be redefined.
What is the expected correct behavior?
named should load the configuration.
Relevant configuration files
Simple test configuration within the options clause:
rate-limit {
domain test-domain.com;
all-per-second 10;
};
rate-limit {
domain test-domain.net;
errors-per-second 30;
};
rate-limit {
all-per-second 300;
};Relevant logs and/or screenshots
May 14 15:43:05 localhost bash: /etc/named.conf:108: unknown option 'domain'
May 14 15:43:05 localhost bash: /etc/named.conf:111: 'rate-limit' redefined near 'rate-limit'Page 129 of the 9.11.6-P1 ARM (https://ftp.isc.org/isc/bind9/9.11.6rc1/doc/arm/Bv9ARM.pdf):
Rate limiters for different name spaces maintain separate counters: If, for example, there is a rate-limit statement for "com" and another for "example.com", queries matching "example.com" will not be debited against the rate limiter for "com".
If a rate-limit statement does not specify a domain, then it applies to the root domain (".") and thus affects the entire DNS namespace, except those portions covered by other rate-limit statements.
Page 96 of the 9.10.0 ARM (https://ftp.isc.org/isc/bind9/9.10.0/doc/arm/Bv9ARM.pdf):
The optional domain clause specifies the namespace to which rate limits will apply. It is possible to use different rate limits for different names by specifying multiple rate-limit blocks with different domain clauses. The rate-limit statement’s domain most closely matches the query name will be the one applied to a given query.