RRL wildcard special-case strips only a single label
The following received by Security Officer:
I think I've found a bug in the request-rate limiting logic. The issue
is that the RRL logic for wildcard domains strips exactly 1 label from
The idea is that a million unique queries with one src addr for
*.example.com should be treated as a million identical queries for
example.com (triggering the RRL).
However, *.example.com will match any.number.of.labels.example.com, so
stripping a single label is insufficient. An attacker who can spoof
their source IP is able to send a million queries of
x.$UNIQUE.example.com, the RRL strips the x, and sees a million unique
Is there a flag somewhere that limits wildcards to matching a single
label? If not, this seems like a security issue because it opens any
authoritative name server with a wildcard record to be hijacked for
I've verified the bug exists with the latest development version of bind
available on isc.org (9.19.2).
For reproducing, I've included a query.c file that will run 100 queries
against a nameserver. Read the source code or compile it and run it
without arguments for details on using it.
But if you have a local bind server serving a *.example.com record, you
can reproduce the behavior by running:
# the $ means "make this label always unique" ./query $.example.com
which will hang after hitting the RRL limit, and then running
which will finish all 100 queries without issue.query.c