> Are there any warnings that can be enabled? > I think, one wouldn't want this on by default.
What warnings do you have in mind? Like https://zonemaster.net/en/ (it also has a command line utility) > How does bind9 set it's default cache size? Is it related to available > physical (not virtual) memory? Yes, it is actually documented: https://bind9.readthedocs.io/en/v9.21.21/reference.html#namedconf-statement-max-cache-size -- Ondřej Surý (He/Him) [email protected] ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply! My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 8. 4. 2026, at 19:07, Michael Richardson <[email protected]> wrote: > > > Ondřej Surý <[email protected]> wrote: >> nameservers for the child domain. The NS records in the child domain >> will be treated as normal DNS records and returned >> as authoritative data, but they will no longer overwrite the delegation >> data for the domain. If you want to delve into the technical >> details and reasoning behind the change, you are most welcome to read >> the Internet Draft I've submitted to IETF and possibly >> also express interest in the draft in the dnsop wg: > > So, I think this affects only people who have a parent and a child loaded > into an > authoritative server... and who have not synchronized them. > > That could easily happen if one has a secondary name server that loads zones > from different origins. Come to think of it my secondary loads reverse zones > in that exact way... So many it affects many ISPs. > I was thinking finding/fixing this would be easy for those who just have a > directory of files, but the secondary and inline DNSSEC signer situations > probably make it more prevalent. > > Are there any warnings that can be enabled? > I think, one wouldn't want this on by default. > >> Our experiments show that named behaves well even with smaller cache >> sizes, and you might want to experiment with smaller >> cache sizes (512M - 1GB) to see if they work well for you. The >> reasoning behind this change is quite simple - the TTL-based cleaning >> is just a band-aid - it pretends to work until the DNS resolver is >> under attack. A determined attacker can then fill your cache with > > How does bind9 set it's default cache size? Is it related to available > physical (not virtual) memory? Or? > > Is the default sensible? Is there any advice about if the value should be > tuned? What I'm really asking is: while ram is cheap, no point in wasting > it provisioning it to VMs that don't need it. > Is the cache common across views? I never looked. > As a historical one-bind to rule them all user, I use one view for > stealth-authoritative (unsigned), another for inline DNSSEC signing, and a > third for recursive resolution. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] [email protected] http://www.sandelman.ca/ | ruby on rails > [ > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
