<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hey everyone,<div><br></div><div>thanks for bringing this up to our attention.</div><div><br></div><div>I would ask - if you have specific examples of domain names that fail to resolve with cold cache, please either record them to the issue that Thomas filled: <a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4921">https://gitlab.isc.org/isc-projects/bind9/-/issues/4921</a> or send them here. It would help us to look how we can change the limits in a way that it doesn’t hurt legitimate traffic, but limit the impact of malicious actors.</div><div><br></div><div>Ondrej<br id="lineBreakAtBeginningOfSignature"><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 7. 9. 2024, at 9:53, Andreas S. Kerber via bind-users <bind-users@lists.isc.org> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Am Fri, Sep 06, 2024 at 09:27:21PM +0200 schrieb Ondřej Surý:</span><br><blockquote type="cite"><span>Anyway - since you are hitting the 32 limit, perhaps bumping the limit to 100 (the value before) would help in your case? I am guessing the resolver is being used for a limited set of clients and the chance of this specific abuse is quite low.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>https://bind9.readthedocs.io/en/v9.18.29/notes.html#notes-for-bind-9-18-29</span><br></blockquote><span></span><br><span>Hi,</span><br><span></span><br><span>FYI our MTA rejection rate went up since updating from 9.18.28 to 9.18.29.</span><br><span>We're still troubleshooting and consider raising the limit back to 100.</span><br><span></span><br><span>Here's a list of PTRs which you might be interested in.</span><br><span>If the resolver cache is flushed, some of these names fail to resolve (SERVFAIL) at first and after wating a bit the names start to resolve. At least some of these names seem quite legitimate and I can't say if each of their zone setup is the culprit or the recursion limit is simply to low.</span><br><span></span><br><span>81.92.89.120.in-addr.arpa</span><br><span>254.29.9.128.in-addr.arpa</span><br><span>155.231.35.129.in-addr.arpa</span><br><span>193.115.9.154.in-addr.arpa</span><br><span>187.122.9.154.in-addr.arpa</span><br><span>251.161.92.159.in-addr.arpa</span><br><span>226.162.92.159.in-addr.arpa</span><br><span>74.34.71.161.in-addr.arpa</span><br><span>243.35.71.161.in-addr.arpa</span><br><span>161.36.71.161.in-addr.arpa</span><br><span>152.113.247.162.in-addr.arpa</span><br><span>55.239.235.168.in-addr.arpa</span><br><span>116.224.82.172.in-addr.arpa</span><br><span>196.123.96.176.in-addr.arpa</span><br><span>5.25.220.185.in-addr.arpa</span><br><span>155.86.58.185.in-addr.arpa</span><br><span>222.86.58.185.in-addr.arpa</span><br><span>116.111.104.194.in-addr.arpa</span><br><span>105.208.11.194.in-addr.arpa</span><br><span>113.228.181.194.in-addr.arpa</span><br><span>64.255.37.194.in-addr.arpa</span><br><span>180.47.162.205.in-addr.arpa</span><br><span>21.81.63.212.in-addr.arpa</span><br><span>80.144.171.213.in-addr.arpa</span><br><span>200.101.118.23.in-addr.arpa</span><br><span>208.55.247.37.in-addr.arpa</span><br><span>158.201.74.41.in-addr.arpa</span><br><span>158.205.74.41.in-addr.arpa</span><br><span>133.76.21.64.in-addr.arpa</span><br><span>181.147.118.82.in-addr.arpa</span><br><span>182.147.118.82.in-addr.arpa</span><br><span>149.116.187.90.in-addr.arpa</span><br><span>140.248.184.91.in-addr.arpa</span><br><span>64.224.198.91.in-addr.arpa</span><br><span>145.116.53.92.in-addr.arpa</span><br><span></span><br><span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></body></html>