Hi, I would like to bring your attention to the changes that has landed in the latest development version of BIND 9.21 and that will be present in BIND 9.22 (to be released later this year).
The first major change is that, BIND 9 is switching to a parent-centric model of delegations. This means that only the NS records (and possibly DELEG records when IETF has done the work) from the parent domain will be considered when looking up the nameservers for the child domain. The NS records in the child domain will be treated as normal DNS records and returned as authoritative data, but they will no longer overwrite the delegation data for the domain. If you want to delve into the technical details and reasoning behind the change, you are most welcome to read the Internet Draft I've submitted to IETF and possibly also express interest in the draft in the dnsop wg: https://datatracker.ietf.org/doc/draft-sury-dnsop-parent-centric-resolver/ The second major change is that the DNS resolver cache will only do opportunistic TTL cleaning and LRU cleaning. The opportunistic TTL-cleaning means that if the cache is asked for an already expired record it will expunge the records and possibly cache the new data as needed. The LRU[1] cleaning is triggered only when the cache is nearing the configured memory. The positive effect is simpler code and less work to do during the cache-misses as there's no heap (priority queue) to reorder. However, to a casual system administrator this will manifest as a steady increase of memory use until named reaches to configured (max-cache-size) limit. Our experiments show that named behaves well even with smaller cache sizes, and you might want to experiment with smaller cache sizes (512M - 1GB) to see if they work well for you. The reasoning behind this change is quite simple - the TTL-based cleaning is just a band-aid - it pretends to work until the DNS resolver is under attack. A determined attacker can then fill your cache with various records and when the cache is under memory pressure the TTL-based cleaning is just a nuisance. Because of that, we've improved the LRU-cleaning that gets triggered under memory pressure and there's simply no reason to keep the both algorithms in place. You are most welcome to test the 9.21.21 release that contains both of the changes and report any issues you've encountered to our GitLab issue tracker or simply here. 1. Least Recent Used - but the actual implementation in BIND 9 is SIEVE-LRU, you can read more about the algorithm in our blog post: https://www.isc.org/blogs/2025-sieve/ Ondrej -- Ondřej Surý (He/Him) [email protected] ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply! My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
