BIND 9.18.41 after upgrade to this version, resolving ns7.zainternet.net/A failed (hung fetch while resolving)
Greg Choules
gregchoules+bindusers at googlemail.com
Thu Oct 30 11:58:08 UTC 2025
Hi Bernd.
Two things:
- What did you upgrade from?
- Have you tried the same query several times in a row?
Recent changes in BIND mean it now limits the number of records it is
prepared to accept in one response, as an anti-DDoS measure. If auth
servers for a particular zone (I haven't looked at this one) happen to
respond with more than that threshold (which can be adjusted), it might
take several goes, with a cold cache, before BIND has gathered enough
information to be able to answer the client query.
Please check.
Cheers, Greg
On Thu, 30 Oct 2025 at 10:27, Bernd Leibing <bernd.leibing at uni-ulm.de>
wrote:
> Hi,
>
> after the recent security upgrade to BIND 9.18.41-1~deb12u1-Debian, my
> resolver
> failed to resolve for example ns7.zainternet.net/A
>
> This is easy to reproduce with the default configuration. Not much in the
> log, even
> with max debug level.
>
> # rndc status
> version: BIND 9.18.41-1~deb12u1-Debian (Extended Support Version) <id:>
> running on localhost: Linux x86_64 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC
> Debian
> 6.1.153-1 (2025-09-20)
> boot time: Wed, 29 Oct 2025 22:51:58 GMT
> last configured: Wed, 29 Oct 2025 22:51:58 GMT
> configuration file: /etc/bind/named.conf
> CPUs found: 4
> worker threads: 4
> UDP listeners per interface: 4
> number of zones: 103 (98 automatic)
> debug level: 99
> ...
>
> # host ns7.zainternet.net 127.0.0.1
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; no servers could be reached
>
>
> #### slightly redacted
> # journalctl -n 30 -t named
> Oct 30 named[]: shut down hung fetch while resolving '
> ns7.zainternet.net/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving 'ns7.zainternet.net/A
> '
> Oct 30 named[]: shut down hung fetch while resolving '
> ns8.za-internet.net/A'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns7.zainternet.net/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns8.za-internet.net/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns11.zainternet.net/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns11.zainternet.net/A'
> Oct 30 named[]: shut down hung fetch while resolving 'ns7.za-internet.de/A
> '
> Oct 30 named[]: shut down hung fetch while resolving '
> ns7.za-internet.de/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns11.za-internet.de/A'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns11.za-internet.de/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving 'ns8.za-domain.de/A'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns8.za-domain.de/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns7.za-internet.net/AAAA'
> Oct 30 named[]: shut down hung fetch while resolving '
> ns7.za-internet.net/A'
>
> Any hints?
> Thanks & Regards,
>
> Bernd
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20251030/5fb799a5/attachment-0001.htm>
More information about the bind-users
mailing list