On 12/4/25 10:09, Peter 'PMc' Much wrote:
! My first few attempts (dig invocations) got SERVFAIL, but within three or
! so repeats, I get the answer. Those symptoms usually means
! max-recursion-queries, combined with the cache filling with each successive
! query attempt.
So this means, the concerning queries are to be run multiple times
until they work?
No, it means if you see those symptoms, that is the usual cause.
Nothing more, and nothing less. :-)
Operators may well find they need to increase max-recursion-queries
these days, given that CNAME and referral chains keep getting longer and
longer, and it seems nobody is able to say "no" to it. You will need to
determine the best value for your needs/clients/etc.
In my case, I could make it worse/better by disabling BIND's use of IPv6.
Okay, but here, no way! I *love* IPv6!
I have got nothing against IPv6, but if it is not working for
whatever reason, telling BIND about that fact will reduce needless
queries. That was the point.
From what I've learned, it is not a good idea to just level up
max-recursion-queries ...
It is neither good nor bad in the abstract. You need to consider the
typical behavior of your various clients, your security posture, threat
model, available resources, and so on, and determine the best value for
you. As hardware and bandwidth get cheaper, yesterday's necessary
limits may become less necessary.
I did try that patch (with doesn't seem to exist anymore) ...
> https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11205
I am not sure what you mean here. Merge Request 11205 was canceled,
yes, but it was replaced with MR 11258. The latter has been merged into
the 9.20 branch. The hope is for it to become part of a future 9.20.x
maintenance release, unless problems are found.
... for about
14 days, and while it still brought up issue 1. (with default
max-recursion-queries), at least I didn't see cases of issue 2.
If you were testing the patch from MR 11205, you may want to try the
patch from MR 11258 now. You can obtain it by clicking the commit ID in
the "Merged" notice, and then on the resulting Commit details page,
clicking the "Options" widget at the upper right, and then in the
resulting menu, clicking "Plain Diff". Direct link:
https://gitlab.isc.org/isc-projects/bind9/-/commit/457b470e966a44102e1ef4e2c3631d5829dace3e.diff
All the usual caveats and warnings about per-release patches apply:
Be careful, have backups, test before deployment, have a rollback plan,
monitor closely, may fail horribly, etc, etc. But if you do try it,
please do let us know what you find.
-- Ben
--
Any opinions expressed in this message are those of the author alone.
All information is provided without warranty of any kind.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
