On 6/3/25 12:06, Petr Špaček wrote:
On 6/3/25 11:29, Nick Tait wrote:
On 02/06/2025 23:30, Petr Špaček wrote:
In short, with an empty cache, BIND will exceed pre-configured limit
on number of queries it can do. This is protection from various
attacks which misuse DNS to attack itself.
Thanks for the explanation!
This particular recursive query doesn't seem especially out-of-the-
ordinary to me, in terms of the number of name servers returned for
each authoritative zone, so it was a little surprising to me that it
would hit the default limit setting. However when I took a closer look
at the combined impact that QNAME minimisation and DNSSEC and
IPv4+IPv6 has on the number of queries it is actually not so
surprising after all...
I want to underline this happens with totally empty cache. If you try,
get SERVFAIL (limits exceeded), and try again in 5 seconds, you will get
an answer.
As for number of serves involved and all that... well ... have a look at
this graph:
https://trans-trust.verisignlabs.com/?z=195.5.90.45.in-addr.arpa.
It's not exactly trivial tree to walk through if you don't know where
you are going and have max. 50 steps available. (BTW the chart does not
not show A/AAAA queries for NS names, only server names involved.)
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
