Re: [question] new bind option "max-recursion-depth"
Hi, Thanks to me to politely reply. 2014-12-17 15:16 GMT+09:00 Evan Hunt : > On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote: >> However, >> if the value of the default "7" would be the value that was created >> based on the world data ? >> ( Also for the default value of "max-recursion-queries 50;" ) > > I haven't personally seen any real world queries go more than 4 > levels deep, but I wouldn't be surprised if there are a were domains > out there that do. 7 seemed like a safe upper limit. > > The default max-recursion-queries value of 50, we got by testing with a > sample of real-world resolver traffic. It turns out it isn't quite right, > though. A limit of 50 works fine with a populated cache (which is > how we were testing it), but if the server is just starting up and the > nameservers for .com and .org and .net and so on aren't in cache yet, > then it *can* take more than 50 queries to resolve a name. (This turns > out to be especially true on 9.10, due to changes in EDNS processing > that affect how much NS glue we get from servers in the early stages of > populating the cache.) We'll be making some adjustments in upcoming > maintenance releases to allow for this. > >> I want to know the recommended settings for everyone to values. > > I'd leave the defaults alone on BIND 9.9. On 9.10, I might consider > increasing max-recursion-queries to 100, but be prepared to back the > change out when updating to the next release. Or leave the defaults > alone but be prepared for the possibility of some SERVFAIL responses in > the first few minutes after server startup. Sorry,Lack of knowledge, 9.10.X and 9.9.x QueryFlow is different ?? By the way, value even in the case of dual-stack name servers is okay without changing ? regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
On Wed, Dec 17, 2014 at 05:20:09PM -0500, Barry Margolin wrote: > But each CNAME is in a different domain, and their nameservers were in > yet other domains. So while resolving the CNAME chain, you also have to > perform several levels of recursion. > > Does the max-recursion-depth limit apply to all of these combined, or > does each step in the chain start at zero? It limits how deep the server will go at any one time. If looking up a name server requires looking up a second name server which requires looking up a third, they're each pushed on to a stack. Eventually (one hopes), you reach bottom and pop back up. If it turns out the name you asked for is a CNAME, then you start a new stack while you resolve the CNAME target. As long as the stack never exceeds seven layers of recursion, you're fine. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
In article , Evan Hunt wrote: > On Wed, Dec 17, 2014 at 03:32:30AM -0500, Barry Margolin wrote: > > Didn't someone post a problem they were having a few days ago because of > > a chain of Akamai CNAMEs that exceeded the limit? > > Recursion depth is about how many layers deep you have to go to > resolve an NS address. CNAME chains have different limits on them. But each CNAME is in a different domain, and their nameservers were in yet other domains. So while resolving the CNAME chain, you also have to perform several levels of recursion. Does the max-recursion-depth limit apply to all of these combined, or does each step in the chain start at zero? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
On Wed, Dec 17, 2014 at 03:32:30AM -0500, Barry Margolin wrote: > Didn't someone post a problem they were having a few days ago because of > a chain of Akamai CNAMEs that exceeded the limit? Recursion depth is about how many layers deep you have to go to resolve an NS address. CNAME chains have different limits on them. I should have followed up on that other thread, actually. The problem with 9.10 was mostly due to a change we made to improve latency when dealing with bad connections and broken servers: when talking to a server for the first time, 9.10 starts out using smaller packet sizes and works its way up if they're successful, whereas 9.9 and earlier would start with large packet sizes and work its way down if they failed. The result is that 9.10 gets answers more quickly in the average case, but in the short-lived pessimal case where the cache is completely empty, there are drawbacks. Responses to our queries start out small, so they don't have as much space to hold name server addresses, so we have to send follow-up queries to get that information; this counts toward the query limits. So, early queries against an empty cache are at an unfair disadvantage with respect to the max-recursion-queries counter. 9.10.2 has a fix that should make things better. The code's already been pushed to the git repository at source.isc.org, in case anyone wants to try it now. I expect to release a beta version either next week or after the holidays. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
In article , Evan Hunt wrote: > On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote: > > However, > > if the value of the default "7" would be the value that was created > > based on the world data ? > > ( Also for the default value of "max-recursion-queries 50;" ) > > I haven't personally seen any real world queries go more than 4 > levels deep, but I wouldn't be surprised if there are a were domains > out there that do. 7 seemed like a safe upper limit. Didn't someone post a problem they were having a few days ago because of a chain of Akamai CNAMEs that exceeded the limit? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote: > However, > if the value of the default "7" would be the value that was created > based on the world data ? > ( Also for the default value of "max-recursion-queries 50;" ) I haven't personally seen any real world queries go more than 4 levels deep, but I wouldn't be surprised if there are a were domains out there that do. 7 seemed like a safe upper limit. The default max-recursion-queries value of 50, we got by testing with a sample of real-world resolver traffic. It turns out it isn't quite right, though. A limit of 50 works fine with a populated cache (which is how we were testing it), but if the server is just starting up and the nameservers for .com and .org and .net and so on aren't in cache yet, then it *can* take more than 50 queries to resolve a name. (This turns out to be especially true on 9.10, due to changes in EDNS processing that affect how much NS glue we get from servers in the early stages of populating the cache.) We'll be making some adjustments in upcoming maintenance releases to allow for this. > I want to know the recommended settings for everyone to values. I'd leave the defaults alone on BIND 9.9. On 9.10, I might consider increasing max-recursion-queries to 100, but be prepared to back the change out when updating to the next release. Or leave the defaults alone but be prepared for the possibility of some SERVFAIL responses in the first few minutes after server startup. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
Hi,Evan, Thank you for replying. I was able to understand, try setting to test servers. Thanks. However, if the value of the default "7" would be the value that was created based on the world data ? ( Also for the default value of "max-recursion-queries 50;" ) I want to know the recommended settings for everyone to values. regards. Maru 2014-12-16 15:34 GMT+09:00 Evan Hunt : > On Tue, Dec 16, 2014 at 11:13:17AM +0900, Techs_Maru wrote: >> But, "max-recursion-depth", >> However, it tried but it did not become a Servfail. >> Meaning of is is "Indirections" is described in the document, it means >> that when the authority server that does not come directly returns the >> IP address, such as the NS and CNAME? >> Default 7 times the number of times that follow that? > > Suppose a zone is served by name servers in another zone: > > example.com. IN NS ns1.example.org. > example.com. IN NS ns2.example.org. > > So named has to look up ns1.example.org to find that name server. > That adds a layer of recursion depth. Now, if example.org is served > out of yet another zone: > > example.org. IN NS ns1.example.net. > example.org. IN NS ns2.example.net. > > ...that adds another layer. Named will give up after 7 such > indirections. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [question] new bind option "max-recursion-depth"
On Tue, Dec 16, 2014 at 11:13:17AM +0900, Techs_Maru wrote: > But, "max-recursion-depth", > However, it tried but it did not become a Servfail. > Meaning of is is "Indirections" is described in the document, it means > that when the authority server that does not come directly returns the > IP address, such as the NS and CNAME? > Default 7 times the number of times that follow that? Suppose a zone is served by name servers in another zone: example.com. IN NS ns1.example.org. example.com. IN NS ns2.example.org. So named has to look up ns1.example.org to find that name server. That adds a layer of recursion depth. Now, if example.org is served out of yet another zone: example.org. IN NS ns1.example.net. example.org. IN NS ns2.example.net. ...that adds another layer. Named will give up after 7 such indirections. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[question] new bind option "max-recursion-depth"
Hi, Bind-user folks, I have a question, about Vulnerability CVE-2014-8500 new bind option "max-recursion-depth", I do not know this option meaning. I read ARM Documents I used Bind Version is 9.9.6-P1. -- max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7. max-recursion-queries Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERV- FAIL. The default is 50. -- Probably meaning of "max-recursion-queries" is Iterative query max attempt from Cahce Servers. and also, this configuration option it could be confirmed that is to be test servers result "Servfail". But, "max-recursion-depth", However, it tried but it did not become a Servfail. Meaning of is is "Indirections" is described in the document, it means that when the authority server that does not come directly returns the IP address, such as the NS and CNAME? Default 7 times the number of times that follow that? Please tell me I think it's my lack of knowledge. I want to know if there is a recommended setting value of everyone regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users