Does BIND 9.3.2 have problems related to forwarding?

Peter Dambier peter at
Wed May 24 11:27:51 UTC 2006

Eivind Olsen wrote:
> Hello.
> Does anyone know if BIND 9.3.2 has any bugs/issues related to forwarding?
> I have a DNS server where some zones are deliberately "hijacked" and 
> told to query another server through the use of a pr. zone forwarder. 
> This is done by declaring the zone to be of type forward, like this:
> zone "" {
>    type forward;
>    forwarders {; };
> };
> There is no forwarder-configuration set in the generic options-section, 
> only on specific zones (pretty much like the example on p269 in "DNS and 
> BIND, 4th edition" (Chapter 10, Forwarding).
> The options section looks like this:
> options {
>          directory "/opt/named";
>          pid-file "";
>          allow-query { any; };
>          allow-transfer { my_net; trusted_parties; };
>          allow-recursion { my_net; };
>          query-source  address;
>          tcp-clients 200;
>          recursive-clients 2000;
>          version "Semi-secret";
> };
> (the named.conf file begins by defining some ACLs, then TSIG-key + 
> controls statement, then this options section, followed by definition 
> for zone "." and "", and finally it uses INCLUDE to 
> get the list of the zones which should be forwarded.
> So, to sum it up, the server is a recursive server doing normal DNS 
> lookups on behalf of DNS clients, and on some zones it forwards the 
> request to another server which gives a distinct answer back.
> Now, on to the problem. I've seen that some queries have been given 
> incorrect replies - a zone which is NOT defined in the configuration has 
> ended up with a reply as if it has been forwarded, which it should not.
> It just happens to some queries, but once it has happened, that 
> information is cached.
> Has anyone seen any problems like this? Any suggestions on what the 
> problem might be? I've given this a lot of thought and can't see where 
> it could go wrong, except if there are bugs in BIND related to this. But 
> I would very much like to be proven wrong on that.

I did have problems like this. The easiest way to reproduce it is to
use a different set of root-servers and watch when the root is overwritten.

I could never trace it. I got rid of it by slaving the zones that got
overwritten. It is nasty to do that on a cache only server but it gets
you rid of the problem. I have seen some ISPs doing exactly the same
with their resolvers.

> Oh, another thing. I've looked on the changes-file for BIND 9.4.0a5 and 
>    searched for forward-related things. I see the following entry, but 
> I'm not really sure what the entry is about or if it could be related. 
> Could someone perhaps shed some light on what this entry is about?
> "1961.   [bug]           Check the port and address of responses 
> forwarded to dispatch. [RT #15474]"

It sounds like what Dan Bernstein asked the Bind devellopers
to do. So I guess, yes that is it. I am running 9.4.0a5 for some
days now, mostly as cache but slaving a couple of zones too. I did
not see any hijacking yet but my system does not serve too many

Peter and Karin Dambier

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP:
mail: peter at
mail: peter at

More information about the bind-users mailing list