Is it really too much effort for the servers to return NOERROR instead of an incorrect NXDOMAIN for the intermediate names? That would get rid of the log message. It’s changing 1 bit (0 vs 4 for the rcode) in the DNS header. They don’t even have to lookup if there are names below the query. The server can just assume that there are records there and return NOERROR for [0..255].zen.spamhaus.org, [0..255].[0..255].zen.spamhaus.org and [0..255].[0..255].[0..255].zen.spamhaus.org. Really we would like to be able to move to strict QNAME minimisation so we don’t need to make all the other queries after the first NXDOMAIN response but broken implementations like this are making that difficult. It’s not like this is a new requirement. A NOERROR response goes back the RFC 1034. Additionally Spamhaus controls how often resolvers re-query. 10 seconds is a very short negative response TTL. If they don’t like the query rate they can control it by returning longer negative cache responses. Named does check in the cache for negative cache entries to determine whether or not to make the intermediate QNAME minimisation queries.
> On 15 Jul 2024, at 23:27, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > Hello, > > I have noticed that especially DNS blocklist cause errors like: > > Jul 14 01:41:28 fantomas named[1854]: success resolving > 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to > 'ncache nxdomain' > > and blocklists like spamhaus are sensitive to too many queries. > > is it possible to disable query minimisation for particular domains? > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Atheism is a non-prophet organization. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
