Your message dated Wed, 6 Jul 2022 07:45:28 +0200 with message-id <[email protected]> and subject line Re: Bug#963217: bind9: 9.11 min-ncache-ttl patch swaps min-max ncache ttl in non-DNSSEC path has caused the Debian Bug report #963217, regarding bind9: 9.11 min-ncache-ttl patch swaps min-max ncache ttl in non-DNSSEC path to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 963217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963217 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: bind9 Version: 1:9.11.5.P4+dfsg-5.1+deb10u1 Severity: normal Dear Maintainer, We run a Debian10 recursive resolver with DNSSEC-validation disabled, and discovered that it puts negative answers in cache at TTL of 3hours (10800s), regardless of SOA's MININUM field. Example query against a problem resolver: $ dig @127.0.0.1 nx-domain.xyz | grep SOA xyz. 10800 IN SOA ...snip snip... 3600 # rndc dumpdb -cache # grep nx-domain /var/cache/bind/named_dump.db nx-domain.xyz. 10800 \-ANY ...snip... With DNSSEC validation enabled, the negative answer is cached correctly for 3600s. As a workaround, we set min-ncache-ttl a bit bigger than the affected internal zone's MINIMUM, and could keep dnssec-validation no. The min-ncache-ttl patch for 9.11 series misplaced `view->maxncachettl` into `view->minncachettl` position in ncache_message (patch 003_min_cache_ttl.diff lines 236 to 238, compared to lines in validated() above). This is also present in stretch-backports patch. This patch was dropped from bind9 9.12 packages onward, so sid/experimental doesn't have this bug. Please help refresh the patch, thank you. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser 3.118 ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u1 ii debconf [debconf-2.0] 1.5.71 ii dns-root-data 2019031302 ii libbind9-161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcom-err2 1.44.5-1+deb10u3 ii libdns1104 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libfstrm0 0.4.0-1 ii libgeoip1 1.6.12-1 ii libgssapi-krb5-2 1.17-3 ii libisc1100 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libisccc161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libisccfg163 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libjson-c3 0.12.1+ds-2 ii libk5crypto3 1.17-3 ii libkrb5-3 1.17-3 ii liblmdb0 0.9.22-1 ii liblwres161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libprotobuf-c1 1.3.1-1+b1 ii libssl1.1 1.1.1d-0+deb10u3 ii libxml2 2.9.4+dfsg1-7+b3 ii lsb-base 10.2019051400 ii net-tools 1.60+git20180626.aebd88e-1 ii netbase 5.6 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc <none> ii dnsutils 1:9.11.5.P4+dfsg-5.1+deb10u1 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.options changed: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation no; listen-on-v6 { any; }; }; -- debconf information: bind9/different-configuration-file: bind9/start-as-user: bind bind9/run-resolvconf: false
--- End Message ---
--- Begin Message ---Debian buster has now been switched to LTS, so I am closing the issue. -- Ondřej Surý (He/Him) [email protected]
--- End Message ---
