On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote: > Hi, > > SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. > This fix essentially limits number of query (to authoritative servers) > to resolve target qname. If a qname requires many query to resolve > it becomes SERVFAIL This situation often occurs when cache is empty > (e.g. just after starting unbound or cache flush) > > bind-users have discussed same issue last year: > https://lists.isc.org/pipermail/bind-users/2014-December/thread.html > > Possible workarounds are to increase MAX_TARGET_COUNT > (iterator/iterator.h) to relax number of query limitation but it may > reduce robustness against CVE-2014-8500-related attack.
I think it is worth considering not having to recompile Unbound. It would be much nicer to have this configurable in unbound.conf. Something similar like BIND allows by max-recursion-queries option. Tomas > Regards, > -- > Daisuke HIIGASHI > > > 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users > <[email protected]>: >> Hi, >> >> Under FreeBSD I'm setting up a resolv-only unbound server. While testing >> I've noticed some domain do not resolve (server returns SERVFAIL) -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com
