bind qname minimization thoughts

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu May 23 09:49:14 UTC 2019


Dear all,

We run BIND 9.14.2 on our resolver. The introduction of DNS query
minimization (qmin) has so far caused a huge increase in customer
reports about domain names which cannot be resolved.

In comparison to other open source DNS resolvers which support query
minimization, BIND seems to be the most strict (in relaxed mode).

Some domain names which fail with qmin enabled:

nouveau.europresse.com
federation.exostar.com
clients.eurest.ch

Interestingly, in all of the above cases BIND stops because it detects a
lame delegation (returns SERVFAIL to stub). Unbound will not hit the
lame delegation because it sends the query type A (BIND sends query type
NS). Knot-resolver also sends query type NS but disabled qmin on errors.

I would like BIND to also more gracefully handle qmin errors. This could
mean changing the to the query type A (See attached patch for BIND
9.14.2) or disabling qmin on errors.

Of course, we always try to send error reports to the domain owners but
so far, I have not seen that any domain name got fixed. The qmin domain
whitelist feature [1] would also be useful to us.

How do other BIND operators handle qmin errors?

Daniel

[1] https://gitlab.isc.org/isc-projects/bind9/issues/651
-------------- next part --------------
--- a/lib/dns/resolver.c	2019-05-22 10:56:29.000000000 +0200
+++ b/lib/dns/resolver.c	2019-05-22 10:58:01.000000000 +0200
@@ -10475,7 +10475,7 @@
 			       NULL, dns_fixedname_name(&fname));
 		result = dns_name_dup(dns_fixedname_name(&fname), fctx->mctx,
 				      &fctx->qminname);
-		fctx->qmintype = dns_rdatatype_ns;
+		fctx->qmintype = dns_rdatatype_a;
 		fctx->minimized = true;
 	} else {
 		/* Minimization is done, we'll ask for whole qname */


More information about the bind-users mailing list