twice as many RRs in 9.20?

Ben Scott bscott at isc.org
Thu Dec 4 00:13:15 UTC 2025 

On 12/3/25 11:04, Peter 'PMc' Much wrote:
>! are now seeing the additional work BIND puts in to compensate for
>! CVE-2025-40778.
> 
> Thank You, that looks ugly. But doesn't tell much.

   Briefly: BIND can no longer safely trust glue records for a domain it 
did not ask about, so it has to make more queries to learn the addresses 
of name servers.  For some of the ridiculously long referral chains out 
there, this can easily mean 10 or more new outgoing queries.

   Sometimes the result can even differ, when it turns out the glue 
records don't match the rest of the world.

> And, actually there is an impact with this ( s/NXDOMAIN/SERVFAIL/ ):
> 
> # rndc flush temptest
> # host -t NAPTR tel.t-online.de
> Host tel.t-online.de not found: 3(NXDOMAIN)

   I see similar when I try "dig NAPTR tel.t-online.de. @127.0.0.1" 
against a freshly started "named", for both 9.20 and 9.18.

   My first few attempts (dig invocations) got SERVFAIL, but within 
three or so repeats, I get the answer.  Those symptoms usually means 
max-recursion-queries, combined with the cache filling with each 
successive query attempt.  BIND keeps the cached answers it gets, even 
if it SERVFAILs later, so repeating the query gets closer each time.

   In my case, I could make it worse/better by disabling BIND's use of 
IPv6.  I don't have IPv6 available at home at the moment, so disabling 
it let BIND skip a bunch of queries that wouldn't work anyway.  Figuring 
that out counts against max-recursion-queries.  So if you have don't 
have good IPv6 connectivity, make sure you configure BIND accordingly.

   As an aside: Now that you're on 9.20, a very useful technique is 
"delv" with the "+ns" option.  This creates a full nameserver instance 
inside the "delv" process, more-or-less the same way "named" would, and 
then runs the query using that nameserver.  This lets one examine what 
"named" would do, without the hassle of starting/flushing the daemon, 
reading the logs, etc.  Set the debug level to see more.  "-d3" is 
usually a good start.  "-d99" will show you more than you ever wanted to 
know about how BIND works.

   Case in point: "delv -4 -d3 +ns NAPTR tel.t-online.de. | less" (and 
then hitting G) let me see that it was concluding with SERVFAIL. 
Working backward from there, I see lots of "exceeded max queries" 
messages.  I was then able to modify the command with "delv -4 -d3 +ns 
+maxqueries=100 NAPTR tel.t-online.de. | less" and see the proper answer.

   Hope this helps,

   -- Ben

-- 
Any opinions expressed in this message are those of the author alone.
All information is provided without warranty of any kind.

More information about the bind-users mailing list