QNAME minimisation question
Petr Špaček
pspacek at isc.org
Tue Jun 3 11:13:12 UTC 2025
On 6/3/25 12:06, Petr Špaček wrote:
> On 6/3/25 11:29, Nick Tait wrote:
>> On 02/06/2025 23:30, Petr Špaček wrote:
>>> In short, with an empty cache, BIND will exceed pre-configured limit
>>> on number of queries it can do. This is protection from various
>>> attacks which misuse DNS to attack itself.
>>
>> Thanks for the explanation!
>>
>> This particular recursive query doesn't seem especially out-of-the-
>> ordinary to me, in terms of the number of name servers returned for
>> each authoritative zone, so it was a little surprising to me that it
>> would hit the default limit setting. However when I took a closer look
>> at the combined impact that QNAME minimisation and DNSSEC and
>> IPv4+IPv6 has on the number of queries it is actually not so
>> surprising after all...
I want to underline this happens with totally empty cache. If you try,
get SERVFAIL (limits exceeded), and try again in 5 seconds, you will get
an answer.
As for number of serves involved and all that... well ... have a look at
this graph:
https://trans-trust.verisignlabs.com/?z=195.5.90.45.in-addr.arpa.
It's not exactly trivial tree to walk through if you don't know where
you are going and have max. 50 steps available. (BTW the chart does not
not show A/AAAA queries for NS names, only server names involved.)
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list