BIND 9.21+/9.22: parent-centric delegations and no TTL-based cleaning

Ondřej Surý ondrej at isc.org
Wed Apr 15 15:54:51 UTC 2026 

> Are there any warnings that can be enabled?
> I think, one wouldn't want this on by default.

What warnings do you have in mind?

Like https://zonemaster.net/en/ (it also has a command line utility)

> How does bind9 set it's default cache size?  Is it related to available
> physical (not virtual) memory?

Yes, it is actually documented: https://bind9.readthedocs.io/en/v9.21.21/reference.html#namedconf-statement-max-cache-size

--
Ondřej Surý (He/Him)
ondrej at isc.org

ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply!

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 8. 4. 2026, at 19:07, Michael Richardson <mcr at sandelman.ca> wrote:
> 
> 
> Ondřej Surý <ondrej at isc.org> wrote:
>> nameservers for the child domain. The NS records in the child domain
>> will be treated as normal DNS records and returned
>> as authoritative data, but they will no longer overwrite the delegation
>> data for the domain. If you want to delve into the technical
>> details and reasoning behind the change, you are most welcome to read
>> the Internet Draft I've submitted to IETF and possibly
>> also express interest in the draft in the dnsop wg:
> 
> So, I think this affects only people who have a parent and a child loaded into an
> authoritative server... and who have not synchronized them.
> 
> That could easily happen if one has a secondary name server that loads zones
> from different origins.  Come to think of it my secondary loads reverse zones
> in that exact way...  So many it affects many ISPs.
> I was thinking finding/fixing this would be easy for those who just have a
> directory of files, but the secondary and inline DNSSEC signer situations
> probably make it more prevalent.
> 
> Are there any warnings that can be enabled?
> I think, one wouldn't want this on by default.
> 
>> Our experiments show that named behaves well even with smaller cache
>> sizes, and you might want to experiment with smaller
>> cache sizes (512M - 1GB) to see if they work well for you. The
>> reasoning behind this change is quite simple - the TTL-based cleaning
>> is just a band-aid - it pretends to work until the DNS resolver is
>> under attack. A determined attacker can then fill your cache with
> 
> How does bind9 set it's default cache size?  Is it related to available
> physical (not virtual) memory?  Or?
> 
> Is the default sensible?  Is there any advice about if the value should be
> tuned?   What I'm really asking is: while ram is cheap, no point in wasting
> it provisioning it to VMs that don't need it.
> Is the cache common across views?  I never looked.
> As a historical one-bind to rule them all user, I use one view for
> stealth-authoritative (unsigned), another for inline DNSSEC signing, and a
> third for recursive resolution.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>

More information about the bind-users mailing list