On 12/3/25 11:04, Peter 'PMc' Much wrote:
! are now seeing the additional work BIND puts in to compensate for
! CVE-2025-40778.
Thank You, that looks ugly. But doesn't tell much.
Briefly: BIND can no longer safely trust glue records for a domain it
did not ask about, so it has to make more queries to learn the addresses
of name servers. For some of the ridiculously long referral chains out
there, this can easily mean 10 or more new outgoing queries.
Sometimes the result can even differ, when it turns out the glue
records don't match the rest of the world.
And, actually there is an impact with this ( s/NXDOMAIN/SERVFAIL/ ):
# rndc flush temptest
# host -t NAPTR tel.t-online.de
Host tel.t-online.de not found: 3(NXDOMAIN)
I see similar when I try "dig NAPTR tel.t-online.de. @127.0.0.1"
against a freshly started "named", for both 9.20 and 9.18.
My first few attempts (dig invocations) got SERVFAIL, but within
three or so repeats, I get the answer. Those symptoms usually means
max-recursion-queries, combined with the cache filling with each
successive query attempt. BIND keeps the cached answers it gets, even
if it SERVFAILs later, so repeating the query gets closer each time.
In my case, I could make it worse/better by disabling BIND's use of
IPv6. I don't have IPv6 available at home at the moment, so disabling
it let BIND skip a bunch of queries that wouldn't work anyway. Figuring
that out counts against max-recursion-queries. So if you have don't
have good IPv6 connectivity, make sure you configure BIND accordingly.
As an aside: Now that you're on 9.20, a very useful technique is
"delv" with the "+ns" option. This creates a full nameserver instance
inside the "delv" process, more-or-less the same way "named" would, and
then runs the query using that nameserver. This lets one examine what
"named" would do, without the hassle of starting/flushing the daemon,
reading the logs, etc. Set the debug level to see more. "-d3" is
usually a good start. "-d99" will show you more than you ever wanted to
know about how BIND works.
Case in point: "delv -4 -d3 +ns NAPTR tel.t-online.de. | less" (and
then hitting G) let me see that it was concluding with SERVFAIL.
Working backward from there, I see lots of "exceeded max queries"
messages. I was then able to modify the command with "delv -4 -d3 +ns
+maxqueries=100 NAPTR tel.t-online.de. | less" and see the proper answer.
Hope this helps,
-- Ben
--
Any opinions expressed in this message are those of the author alone.
All information is provided without warranty of any kind.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
