On Wed, Dec 03, 2025 at 09:50:12AM -0500, Ben Scott wrote:
! On 12/3/25 06:43, Peter 'PMc' Much wrote:
! > At 17:00 yesterday I changed from BIND 9.18 to 9.20.
!
! 9.18.what to 9.20.what?
Hm ...
Dec 2 17:32:21 <user.notice> conr pkg[47766]: bind918-9.18.39 deinstalled
Dec 2 17:32:28 <user.notice> conr pkg[47771]: bind920-9.20.16 installed
! > Now I counted the RRs processed for a specific activity ...
!
! It's not clear to me exactly what you're measuring here (incoming RRs
! passing over the wire in the process of answering a given set of queries?),
Not wire, BIND reporting via dnstap.
! but I'd hazard a guess that you upgraded from <= 9.18.39 to >= 9.20.15 and
That is correct.
! are now seeing the additional work BIND puts in to compensate for
! CVE-2025-40778.
Thank You, that looks ugly. But doesn't tell much.
And, actually there is an impact with this ( s/NXDOMAIN/SERVFAIL/ ):
# rndc flush temptest
# host -t NAPTR tel.t-online.de
Host tel.t-online.de not found: 3(NXDOMAIN)
# rndc flush temptest
# host -t NAPTR tel.t-online.de
Host tel.t-online.de not found: 3(NXDOMAIN)
This did possibly not work in 9.18 either.
Then:
max-recursion-queries 100;
This *DID* work in 9.18
# rndc flush temptest
# host -t NAPTR tel.t-online.de
Host tel.t-online.de not found: 3(NXDOMAIN)
# rndc flush temptest
# host -t NAPTR tel.t-online.de
Host tel.t-online.de not found: 3(NXDOMAIN)
max-recursion-queries 400;
root@conr:~ # rndc flush temptest
root@conr:~ # host -t NAPTR tel.t-online.de
tel.t-online.de has NAPTR record 10 0 "s" "SIPS+D2T" ""
_sips._tcp.tel.t-online.de.
tel.t-online.de has NAPTR record 30 0 "s" "SIP+D2T" ""
_sip._tcp.tel.t-online.de.
tel.t-online.de has NAPTR record 20 0 "s" "SIP+D2U" ""
_sip._udp.tel.t-online.de.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
