Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1+deb10u1
Severity: normal
Dear Maintainer,
We run a Debian10 recursive resolver with DNSSEC-validation disabled, and
discovered that it puts
negative answers in cache at TTL of 3hours (10800s), regardless of SOA's
MININUM field.
Example query against a problem resolver:
$ dig @127.0.0.1 nx-domain.xyz | grep SOA
xyz. 10800 IN SOA ...snip snip... 3600
# rndc dumpdb -cache
# grep nx-domain /var/cache/bind/named_dump.db
nx-domain.xyz. 10800 \-ANY ...snip...
With DNSSEC validation enabled, the negative answer is cached correctly for
3600s.
As a workaround, we set min-ncache-ttl a bit bigger than the affected
internal zone's MINIMUM, and could keep dnssec-validation no.
The min-ncache-ttl patch for 9.11 series misplaced `view->maxncachettl`
into `view->minncachettl`
position in ncache_message (patch 003_min_cache_ttl.diff lines 236 to 238,
compared to lines in validated() above). This is also present in
stretch-backports patch.
This patch was dropped from bind9 9.12 packages onward, so sid/experimental
doesn't have this bug.
Please help refresh the patch, thank you.
-- System Information:
Debian Release: 10.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.118
ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u1
ii debconf [debconf-2.0] 1.5.71
ii dns-root-data 2019031302
ii libbind9-161 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcom-err2 1.44.5-1+deb10u3
ii libdns1104 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libfstrm0 0.4.0-1
ii libgeoip1 1.6.12-1
ii libgssapi-krb5-2 1.17-3
ii libisc1100 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libisccc161 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libisccfg163 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libjson-c3 0.12.1+ds-2
ii libk5crypto3 1.17-3
ii libkrb5-3 1.17-3
ii liblmdb0 0.9.22-1
ii liblwres161 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libprotobuf-c1 1.3.1-1+b1
ii libssl1.1 1.1.1d-0+deb10u3
ii libxml2 2.9.4+dfsg1-7+b3
ii lsb-base 10.2019051400
ii net-tools 1.60+git20180626.aebd88e-1
ii netbase 5.6
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
ii dnsutils 1:9.11.5.P4+dfsg-5.1+deb10u1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};
-- debconf information:
bind9/different-configuration-file:
bind9/start-as-user: bind
bind9/run-resolvconf: false
