BIND 9.21+/9.22: parent-centric delegations and no TTL-based cleaning

Michael Richardson mcr at sandelman.ca
Wed Apr 8 17:07:38 UTC 2026 

Ondřej Surý <ondrej at isc.org> wrote:
    > nameservers for the child domain. The NS records in the child domain
    > will be treated as normal DNS records and returned
    > as authoritative data, but they will no longer overwrite the delegation
    > data for the domain. If you want to delve into the technical
    > details and reasoning behind the change, you are most welcome to read
    > the Internet Draft I've submitted to IETF and possibly
    > also express interest in the draft in the dnsop wg:

So, I think this affects only people who have a parent and a child loaded into an
authoritative server... and who have not synchronized them.

That could easily happen if one has a secondary name server that loads zones
from different origins.  Come to think of it my secondary loads reverse zones
in that exact way...  So many it affects many ISPs.
I was thinking finding/fixing this would be easy for those who just have a
directory of files, but the secondary and inline DNSSEC signer situations
probably make it more prevalent.

Are there any warnings that can be enabled?
I think, one wouldn't want this on by default.

    > Our experiments show that named behaves well even with smaller cache
    > sizes, and you might want to experiment with smaller
    > cache sizes (512M - 1GB) to see if they work well for you. The
    > reasoning behind this change is quite simple - the TTL-based cleaning
    > is just a band-aid - it pretends to work until the DNS resolver is
    > under attack. A determined attacker can then fill your cache with

How does bind9 set it's default cache size?  Is it related to available
physical (not virtual) memory?  Or?

Is the default sensible?  Is there any advice about if the value should be
tuned?   What I'm really asking is: while ram is cheap, no point in wasting
it provisioning it to VMs that don't need it.
Is the cache common across views?  I never looked.
As a historical one-bind to rule them all user, I use one view for
stealth-authoritative (unsigned), another for inline DNSSEC signing, and a
third for recursive resolution.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260408/bb9e5bc5/attachment.sig>

More information about the bind-users mailing list