Hi Bernd. Two things: - What did you upgrade from? - Have you tried the same query several times in a row?
Recent changes in BIND mean it now limits the number of records it is prepared to accept in one response, as an anti-DDoS measure. If auth servers for a particular zone (I haven't looked at this one) happen to respond with more than that threshold (which can be adjusted), it might take several goes, with a cold cache, before BIND has gathered enough information to be able to answer the client query. Please check. Cheers, Greg On Thu, 30 Oct 2025 at 10:27, Bernd Leibing <[email protected]> wrote: > Hi, > > after the recent security upgrade to BIND 9.18.41-1~deb12u1-Debian, my > resolver > failed to resolve for example ns7.zainternet.net/A > > This is easy to reproduce with the default configuration. Not much in the > log, even > with max debug level. > > # rndc status > version: BIND 9.18.41-1~deb12u1-Debian (Extended Support Version) <id:> > running on localhost: Linux x86_64 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC > Debian > 6.1.153-1 (2025-09-20) > boot time: Wed, 29 Oct 2025 22:51:58 GMT > last configured: Wed, 29 Oct 2025 22:51:58 GMT > configuration file: /etc/bind/named.conf > CPUs found: 4 > worker threads: 4 > UDP listeners per interface: 4 > number of zones: 103 (98 automatic) > debug level: 99 > ... > > # host ns7.zainternet.net 127.0.0.1 > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; no servers could be reached > > > #### slightly redacted > # journalctl -n 30 -t named > Oct 30 named[]: shut down hung fetch while resolving ' > ns7.zainternet.net/AAAA' > Oct 30 named[]: shut down hung fetch while resolving 'ns7.zainternet.net/A > ' > Oct 30 named[]: shut down hung fetch while resolving ' > ns8.za-internet.net/A' > Oct 30 named[]: shut down hung fetch while resolving ' > ns7.zainternet.net/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns8.za-internet.net/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns11.zainternet.net/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns11.zainternet.net/A' > Oct 30 named[]: shut down hung fetch while resolving 'ns7.za-internet.de/A > ' > Oct 30 named[]: shut down hung fetch while resolving ' > ns7.za-internet.de/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns11.za-internet.de/A' > Oct 30 named[]: shut down hung fetch while resolving ' > ns11.za-internet.de/AAAA' > Oct 30 named[]: shut down hung fetch while resolving 'ns8.za-domain.de/A' > Oct 30 named[]: shut down hung fetch while resolving ' > ns8.za-domain.de/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns7.za-internet.net/AAAA' > Oct 30 named[]: shut down hung fetch while resolving ' > ns7.za-internet.net/A' > > Any hints? > Thanks & Regards, > > Bernd > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list. >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
