BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2021-01-29T12:54:56Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1917danger, security and CVE.2021-01-29T12:54:56ZMark Andrewsdanger, security and CVE.It would be useful if danger checked that the CHANGES and release notes entries for [security] changes contain a CVE number.It would be useful if danger checked that the CHANGES and release notes entries for [security] changes contain a CVE number.February 2021 (9.11.28, 9.11.28-S1, 9.16.12, 9.16.12-S1, 9.17.10)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1916Check ECS response in DiG for RFC compliance2024-03-13T13:11:50ZMark AndrewsCheck ECS response in DiG for RFC complianceWe have seen servers that return ECS responses that don't meet this requirement.
```
RFC 7871, 7.2.1. Authoritative Nameserver
FAMILY, SOURCE PREFIX-LENGTH, and ADDRESS in the response MUST match
those in the query. Echoing back ...We have seen servers that return ECS responses that don't meet this requirement.
```
RFC 7871, 7.2.1. Authoritative Nameserver
FAMILY, SOURCE PREFIX-LENGTH, and ADDRESS in the response MUST match
those in the query. Echoing back these values helps to mitigate
certain attack vectors, as described in Section 11.
```
Add a warning when the ECS response fails to meet this requirement.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1915Edits to man pages for BIND ARM2021-01-12T14:39:10ZSuzanne GoldlustEdits to man pages for BIND ARMText and formatting edits for the man pages in the BIND ARMText and formatting edits for the man pages in the BIND ARMJuly 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1914Text edits in libdns.rst2020-06-08T12:20:44ZSuzanne GoldlustText edits in libdns.rstContent, clarity, and grammar updates to the DNS Library Support section of the BIND ARMContent, clarity, and grammar updates to the DNS Library Support section of the BIND ARMJune 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1913Remove unused leftovers2020-11-12T14:09:33ZMichal NowakRemove unused leftoversThe following discussion from !3527 should be addressed:
- [ ] @michal started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3527#note_134700): (+2 comments)
> Reviewing this MR revealed a few interesti...The following discussion from !3527 should be addressed:
- [ ] @michal started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3527#note_134700): (+2 comments)
> Reviewing this MR revealed a few interesting findings:
>
> - there are some files which appear to be unused leftovers, e.g.
> `bin/rndc/include/rndc/os.h` - they are not included in source
> tarballs produced by `make dist` and yet these compile just fine,
>
> - some files tracked by Git are of questionable use, e.g.
> `bin/rndc/rndc.conf`.
>
> [1]: #1774November 2020 (9.11.25, 9.11.25-S1, 9.16.9, 9.16.9-S1, 9.17.7)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1912Refactor `fctx->client` to store just preformatted text2020-06-05T14:21:14ZOndřej SurýRefactor `fctx->client` to store just preformatted textPer https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3575#note_133991Per https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3575#note_133991BIND 9.17 Backburnerhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1910Text edits in general.rst2020-06-08T12:20:23ZSuzanne GoldlustText edits in general.rstContent, clarity, and grammar updates in the BIND ARMContent, clarity, and grammar updates in the BIND ARMJune 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1909Text edits in history.rst2020-06-08T12:10:48ZSuzanne GoldlustText edits in history.rstContent, clarity, grammarContent, clarity, grammarJune 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1908Text edits in troubleshooting.rst2020-06-08T12:11:23ZSuzanne GoldlustText edits in troubleshooting.rstContent, clarity, grammar fixesContent, clarity, grammar fixesJune 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1907nsupdate - handle "automatic chunking" for long rdata2021-10-05T12:36:37ZBrandon Applegatensupdate - handle "automatic chunking" for long rdataExample would be DKIM keys. Would be nice if one could feed nsupdate something like:
`"v=DKIM1;h=sha256;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwNaasZOXcA/GFgbu+iAwOUhKKW+QHVdknaZNlh6NMv/r6A+kOpnGCvMsif1LYlas2ZGLFtq1KrjFhOz...Example would be DKIM keys. Would be nice if one could feed nsupdate something like:
`"v=DKIM1;h=sha256;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwNaasZOXcA/GFgbu+iAwOUhKKW+QHVdknaZNlh6NMv/r6A+kOpnGCvMsif1LYlas2ZGLFtq1KrjFhOzlBpTNBN1hd/dceGC+rl39Y9VuAPxtNHRp9iZCz/Gs0ipJMzLlXEYE6DA5xKmq88Qk/9VNG5e5AECtCVYV3w7YftHGTuDWIRRMMS+IhyTzivCUYSRu4jl7HklhxplSuryPoKuPzzlVeS22HFtaTV4BXSrf1K9tmu1coe5fB4zbgodDZ5/yx6rFTgr3EjYzhWBqh72G0hHBTBufMu1hMej1Mt6KJsZw8GEGUUWLalfJnuoI8sxVPm3pII+9QoKXNqZtdiGtEQIDAQAB"`
And have nsupdate "chunk" this into < 255 byte parts:
`"v=DKIM1; h=sha256; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwNaasZOXcA/GFgbu+iAwOUhKKW+QHVdknaZNlh6NMv/r6A+kOpnGCvMsif1LYlas2ZGLFtq1KrjFhOzlBpTNBN1hd/dceGC+rl39Y9VuAPxtNHRp9iZCz/Gs0ipJMzLlXEYE6DA5xKmq88Qk/9VNG5e5AECtCVYV3w7YftHGTuDWIRRMMS+IhyTzivCUYSRu4jl7HklhxplSur"
"yPoKuPzzlVeS22HFtaTV4BXSrf1K9tmu1coe5fB4zbgodDZ5/yx6rFTgr3EjYzhWBqh72G0hHBTBufMu1hMej1Mt6KJsZw8GEGUUWLalfJnuoI8sxVPm3pII+9QoKXNqZtdiGtEQIDAQAB"`
Sorry for the formatting here as well, but hopefully the idea comes across.
As a human, I would naturally (try to) split on boundaries that make this a bit more readable (i.e. starting a new chunk at "p="). I wouldn't think you'd want to have corner cases and parsing logic to make it pretty, I suppose as long as it's valid syntax and the rdata goes in properly that's all that matters.BIND 9.17 Backburnerhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1906More BIND ARM text edits2020-06-08T12:11:06ZSuzanne GoldlustMore BIND ARM text editssecurity.rst updatessecurity.rst updatesJune 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1905Forbid the asterisk (*) single character domains on non-leaf level in the mas...2023-11-02T16:58:16ZOndřej SurýForbid the asterisk (*) single character domains on non-leaf level in the master zonesCurrently, the `sub.*.example.com` is a valid and legal domain name. But not everything that's legal is right and this is a perfect example, as the domain in question is not a wildcard domain name covering `sub.<anything>.example.com`, ...Currently, the `sub.*.example.com` is a valid and legal domain name. But not everything that's legal is right and this is a perfect example, as the domain in question is not a wildcard domain name covering `sub.<anything>.example.com`, but a single domain name `sub.*.example.com` where `*` is literal asterisk character. Remember that `*` has no special meaning in the `QNAME`, it is only processed as `*` when loading the zone files.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1903Authoritative server leaks 260 KB every 1-2 hours2023-11-03T06:59:46ZMichal NowakAuthoritative server leaks 260 KB every 1-2 hoursI run [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) against BIND 9.16.3 authoritative server on Alpine Linux 3.12 (uses MUSL libc) for 18 hours and I noticed that in many cases `named`'s VSZ usage b...I run [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) against BIND 9.16.3 authoritative server on Alpine Linux 3.12 (uses MUSL libc) for 18 hours and I noticed that in many cases `named`'s VSZ usage bumps 260 bytes every 1-2 hours. I haven't spotted this on Linux distributions with glibc. There are a few discrepancies from the "260 byte rule", but it seems too regular to be a coincidence. Although the mem usage bump is really tiny, there might be a leak of structure.
![named-memory-use-graph-alpine-3.12](/uploads/de49507ad28ed28fababf1b713f29b6d/named-memory-use-graph-alpine-3.12.png)
Here are `VSZ`/`RSS` data every 30 seconds: [alpine-vm.txt](/uploads/9942d3ad62e9c8ec145a2e9fb9bc815b/alpine-vm.txt)
Here's a sample of few last lines funneled via `uniq`:
```
...
422496
422756
423016
423276
423536
423796
424056
424316
424576
424836
425096
425356
425616
425876
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1902BIND build problems on NetBSD 92020-06-04T12:47:57ZMichal NowakBIND build problems on NetBSD 9There are three BIND 9.16.3 compilation issues on NetBSD 9 with Clang 9.0.1:
```
--- parser.o ---
clang -include /home/newman/bind-9.16.3/config.h -I/home/newman/bind-9.16.3 -I../.. -I. -I/home/newman/bind-9.16.3/lib/dns/include -I../....There are three BIND 9.16.3 compilation issues on NetBSD 9 with Clang 9.0.1:
```
--- parser.o ---
clang -include /home/newman/bind-9.16.3/config.h -I/home/newman/bind-9.16.3 -I../.. -I. -I/home/newman/bind-9.16.3/lib/dns/include -I../../lib/dns/include -I/home/newman/bind-9.16.3/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I/home/newman/bind-9.16.3/lib/isccfg/include -I../../lib/isccfg/include -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra -pthread -I/usr/pkg/include -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -Wshadow -Werror -c parser.c
--- parser.o ---
parser.c:1286:6: error: array subscript is of type 'char' [-Werror,-Wchar-subscripts]
if (toupper(TOKEN_STRING(pctx)[0]) == 'P') {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:60:46: note: expanded from macro 'toupper'
#define toupper(c) ((int)((_toupper_tab_ + 1)[(c)]))
^~~~
clang -include /home/newman/bind-9.16.3/config.h -I/home/newman/bind-9.16.3 -I../.. -I./include -I./unix/include -I. -I/home/newman/bind-9.16.3/lib/ns/include -I../../lib/ns/include -I/home/newman/bind-9.16.3/lib/dns/include -I../../lib/dns/include -I/home/newman/bind-9.16.3/lib/bind9/include -I../../lib/bind9/include -I/home/newman/bind-9.16.3/lib/isccfg/include -I../../lib/isccfg/include -I/home/newman/bind-9.16.3/lib/isccc/include -I../../lib/isccc/include -I/home/newman/bind-9.16.3/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../contrib/dlz/drivers/include -I/usr/pkg/include/json-c -I/usr/pkg/include/libxml2 -DCONTRIB_DLZ -DDLZ_FILESYSTEM -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra -pthread -I/usr/pkg/include -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -Wshadow -Werror -DVERSION=\"9.16.3\" -DPRODUCT=\""BIND"\" -DDESCRIPTION=\""(Stable Release)"\" -DSRCID=\"5ea41c1\" -DCONFIGARGS="\"'--disable-maintainer-mode' '--enable-developer' '--disable-static' '--with-cmocka' '--with-libxml2' '--with-json-c' '--without-make-clean' '--with-python=python3.7' '--disable-backtrace' '--disable-symtable' 'CC=clang' 'CFLAGS=-fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra'\"" -DBUILDER="\"make\"" -DNAMED_LOCALSTATEDIR=\"/usr/local/var\" -DNAMED_SYSCONFDIR=\"/usr/local/etc\" -c ./main.c
./main.c:358:8: error: array subscript is of type 'char' [-Werror,-Wchar-subscripts]
if (isalnum(*src) || *src == ',' || *src == '-' ||
^~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
./main.c:362:15: error: array subscript is of type 'char' [-Werror,-Wchar-subscripts]
} else if (isprint(*src)) {
^~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:54:44: note: expanded from macro 'isprint'
#define isprint(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_R))
^~~~
```
I fixed this by adding `(unsigned char)` before the parameter of failing macros:
- `toupper((unsigned char)TOKEN_STRING(pctx)[0]`
- `isalnum((unsigned char)*src)`
- `isprint((unsigned char)*src))`
There's also a `gen.c` linking problem:
```
clang -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra -pthread -I/usr/pkg/include -fPIC -I../../lib/isc/include -Wl,-E -o gen ./gen.c -L/usr/pkg/lib -luv -lkvm -lrt -lpthread
make include/dns/enumtype.h
./gen -s . -t > include/dns/enumtype.h || { rm -f include/dns/enumtype.h ; exit 1; }
./gen: Shared object "libuv.so.1" not found
*** [include/dns/enumtype.h] Error code 1
```
I workedaround it with `LD_LIBRARY_PATH=/usr/pkg/lib make`, haven't look for a proper fix.June 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1901Add win32util/Configure path checks to CI2020-06-01T01:38:21ZMark AndrewsAdd win32util/Configure path checks to CIMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1900Runtime system test fails badly when run as root on non-linux systems.2023-11-02T16:58:16ZMark AndrewsRuntime system test fails badly when run as root on non-linux systems.Lots of the sub tests depend on capabilities being enabled to get "permission denied" when run as root.
```
% sudo sh run.sh runtime
Making check in dyndb/driver
make[1]: Nothing to be done for `check'.
Making check in dlzexternal/drive...Lots of the sub tests depend on capabilities being enabled to get "permission denied" when run as root.
```
% sudo sh run.sh runtime
Making check in dyndb/driver
make[1]: Nothing to be done for `check'.
Making check in dlzexternal/driver
make[1]: Nothing to be done for `check'.
/Applications/Xcode.app/Contents/Developer/usr/bin/make feature-test makejournal pipelined/pipequeries rndc/gencheck rpz/dnsrps tkey/keycreate tkey/keydelete
make[2]: `feature-test' is up to date.
make[2]: `makejournal' is up to date.
make[2]: `pipelined/pipequeries' is up to date.
make[2]: `rndc/gencheck' is up to date.
make[2]: `rpz/dnsrps' is up to date.
make[2]: `tkey/keycreate' is up to date.
make[2]: `tkey/keydelete' is up to date.
/Applications/Xcode.app/Contents/Developer/usr/bin/make check-TESTS
S:runtime:2020-06-01T09:18:45+1000
T:runtime:1:A
A:runtime:System test runtime
I:runtime:PORTS:5330,5331,5332,5333,5334,5335,5336,5337,5338,5339
I:runtime:starting servers
I:runtime:verifying that named started normally (1)
I:runtime:verifying that named checks for conflicting named processes (2)
I:runtime:verifying that 'lock-file none' disables process check (3)
I:runtime:checking that named refuses to reconfigure if working directory is not writable (4)
I:runtime:failed
I:runtime:checking that named refuses to reconfigure if managed-keys-directory is not writable (5)
I:runtime:failed
I:runtime:checking that named refuses to reconfigure if new-zones-directory is not writable (6)
I:runtime:failed
I:runtime:checking that named recovers when configuration file is valid again (7)
I:runtime:failed
I:runtime:checking that named refuses to start if working directory is not writable (8)
I:runtime:failed
I:runtime:checking that named refuses to start if managed-keys-directory is not writable (9)
I:runtime:failed
I:runtime:checking that named refuses to start if new-zones-directory is not writable (10)
I:runtime:failed
I:runtime:checking that named logs control characters in octal notation (11)
I:runtime:checking that named escapes special characters in the logs (12)
I:runtime:checking that named logs an ellipsis when the command line is larger than 8k bytes (13)
I:runtime:verifying that named switches UID (14)
I:runtime:failed
I:runtime:exit status: 8
I:runtime:stopping servers
R:runtime:FAIL
E:runtime:2020-06-01T09:19:22+1000
FAIL: runtime
============================================================================
Testsuite summary for BIND 9.17.1-dev
============================================================================
# TOTAL: 1
# PASS: 0
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
============================================================================
See bin/tests/system/run.log
Please report to info@isc.org
============================================================================
make[3]: *** [run.log] Error 1
make[2]: *** [check-TESTS] Error 2
make[1]: *** [check-am] Error 2
make: *** [check-recursive] Error 1
%
```
Additionally it appears that the following also fails on centos8 (from bind-users) which is what prompted me to check.
```
I:runtime:verifying that named switches UID (14)
I:runtime:failed
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1899TCP Accept Refactoring broke Windows2020-06-08T12:19:30ZOndřej SurýTCP Accept Refactoring broke WindowsThe !3320 that got merged to master broke TCP connections on Windows. This needs to be fixed on master (before we release next 9.17.2) and also before we merged the backport to the BIND 9.16 branch.The !3320 that got merged to master broke TCP connections on Windows. This needs to be fixed on master (before we release next 9.17.2) and also before we merged the backport to the BIND 9.16 branch.June 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Witold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/1898'.rst' files should be independent of configure option.2020-06-29T13:33:15ZMark Andrews'.rst' files should be independent of configure option.'.rst' files are being generated from doc/misc/options which has different line breaks depending upon which configure options are set as ' // not configured' differs. This impacts on the generated '.rst' files leading to churn in them. ...'.rst' files are being generated from doc/misc/options which has different line breaks depending upon which configure options are set as ' // not configured' differs. This impacts on the generated '.rst' files leading to churn in them. The '.rst' files are nominally independent of configure options.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)https://gitlab.isc.org/isc-projects/bind9/-/issues/1897max-transfer-time-* and max-transfer-idle-* broken since 9.15.62023-04-05T18:20:10ZBrian Conrymax-transfer-time-* and max-transfer-idle-* broken since 9.15.6In 53f0b6c34d3f ("convert ns_client and related objects to use netmgr"), the logic for setting a timer to enforce `max-transfer-time-out` and `max-transfer-idle-out` was removed.
In 49d53a4aa95682f9d94da4c6fa68ded66283cce9 ("use netmgr ...In 53f0b6c34d3f ("convert ns_client and related objects to use netmgr"), the logic for setting a timer to enforce `max-transfer-time-out` and `max-transfer-idle-out` was removed.
In 49d53a4aa95682f9d94da4c6fa68ded66283cce9 ("use netmgr for xfrin"), the `max-transfer-time-in` and `max-transfer-idle-in` options have met a similar destiny.March 2022 (9.11.37, 9.11.37-S1, 9.16.27, 9.16.27-S1, 9.18.1)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1896spurious root queries on timeout2023-11-02T16:58:16ZEvan Huntspurious root queries on timeoutReported by Ke Li <kl3158@columbia.edu> against 9.11.18 and 9.16.1.
```
Dear BIND authors,
We have documented specific cases where BIND9 (9.11.18 and 9.16.1)
generates generate requests to root servers which we think are not very
usef...Reported by Ke Li <kl3158@columbia.edu> against 9.11.18 and 9.16.1.
```
Dear BIND authors,
We have documented specific cases where BIND9 (9.11.18 and 9.16.1)
generates generate requests to root servers which we think are not very
useful. We would like to know if it is a known behavior or if there is
an underlying design choice for these queries that we do not understand?
Below is a brief overview of what we found.
The behavior we found is that when BIND9 has TLD servers' addresses in
the cache, which authoritative for domains like "com", and BIND9 gets an
A or AAAA type request like "some.example.com" from users, it still
sends requests like "ns1.example.com" to root and root server replies
with addresses of TLD servers again. The pattern looks like this:
user asks BIND9 Query: bidder.criteo.com, Type A =
BIND9 asks TLD servers To: 192.42.93.30 (g.gtld) Query: =
bidder.criteo.com, Type A =
Get a response from TLD servers From: 192.42.93.30 (g.gtld) Query: =
bidder.criteo.com =
=
Response: NS ns23.criteo.com NS =
ns22.criteo.com NS ns25.criteo.com NS =
ns26.criteo.com NS ns27.criteo.com NS =
ns28.criteo.com. All with A-type records in =
"Additional Records". =
BIND9 asks one of the nameservers. No reply To: 74.119.119.1 (ns25.criteo.=
com) Query: =
bidder.criteo.com, Type A =
BIND9 asks another nameserver. To: 182.161.73.4 (ns28.criteo.com) Query: =
bidder.criteo.com Type A =
And at the same time, =
=
BIND9 sends requests to root =
To: 192.58.128.30 (j.root) Query: =
ns22.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns23.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns27.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns25.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns26.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns28.criteo.com Type AAAA =
We deployed a BIND9 v9.11.18 instance and a BIND9 v9.16.1 locally and
loaded web captured traffic by Wireshark on port 53. Then we analyzed
the data and found several about these interesting requests to root.
1. they are requesting authoritative nameservers of a subdomain or a
hostname. For "ns23.criteo.com" and "ns22.criteo.com" are authoritative
nameservers for
2. they are requesting records that are not in the last level
nameserver's response. For in the response from the TLD server to
BIND9's request on "bidder.criteo.com", there is no type record (in
"Additional Records") for nameserver "ns23.criteo.com", so BIND9 later
AAAA type request on "ns23.criteo.com" to root.
3. if BIND9 timeouts when it queries one of these nameservers, BIND9
will generate these requests to root. For example, after getting the
response from the TLD server on "bidder.criteo.com", BIND9 goes ahead
and sends a request on "bidder.criteo.com" to "ns25.criteo.com", but
there is no reply. Then BIND9 will send the request to another name
server (randomly chose) "ns28.criteo.com" and also generate requests to
root.
Therefore, we guess this kind of request are generated by timeouts when
BIND9 queries nameservers. We then tried to validate our hypothesis. We
manually created timeouts iptables to ban IPs of some nameservers and
the same behavior happened. A simple test pcap file as an example is
attached, with an explanation. Also, the configuration file of our
deployment is attached. We then validated our hypothesis on a recursive
resolver at an academic institution running BIND9 v9.11.14, found out
that around 80% A and AAAA root servers were in this pattern.
We'd appreciate it if you help us understand this behavior. We mainly
are curious about reason behind it. Is it a necessary design or is it
avoidable? We think maybe some DNS root servers would be saved if BIND9
could avoid this kind of behavior.
Thank you very much!
````Not planned