-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Tomas,
On 15/09/15 09:55, Tomas Hozza via Unbound-users wrote: > On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote: >> Hi, >> >> SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. >> This fix essentially limits number of query (to authoritative >> servers) to resolve target qname. If a qname requires many query >> to resolve it becomes SERVFAIL This situation often occurs when >> cache is empty (e.g. just after starting unbound or cache flush) >> >> bind-users have discussed same issue last year: >> https://lists.isc.org/pipermail/bind-users/2014-December/thread.html >> >> >> Possible workarounds are to increase MAX_TARGET_COUNT >> (iterator/iterator.h) to relax number of query limitation but it >> may reduce robustness against CVE-2014-8500-related attack. > > I think it is worth considering not having to recompile Unbound. It > would be much nicer to have this configurable in unbound.conf. > Something similar like BIND allows by max-recursion-queries > option. What value should we use for MAX_TARGET_COUNT? I'll increase the compiled default to that value. Easier than a configuration option that the user can get wrong and then be vulnerable. Best regards, Wouter > > Tomas > >> Regards, -- Daisuke HIIGASHI >> >> >> 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users >> <unbound-users@unbound.net>: >>> Hi, >>> >>> Under FreeBSD I'm setting up a resolv-only unbound server. >>> While testing I've noticed some domain do not resolve (server >>> returns SERVFAIL) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWAQOoAAoJEJ9vHC1+BF+NQoMP/1JPBhD+Hdd7f8yDqKhZHGhx MJ2C58U1vqZJoNheroWhg0Z6gD4e4A4WsGLSb1Ij/85IuM9vkFZl4eHtzqPXt5ZA TbEQ8QOfeaf5EcZgBp6AySsEfK5xTITTP9vWygO4/S1N6ppm+F1oKR7rGchQvA1E aNfiWQb/M/ldU3j+qZHn/6KJV1TU/H140/qe7VsbJLJ61d505A7mKhINSf+EmfeB myb7lOYF+ximLTeE//JBX0orQS8sfFmVWns6oaNSA9lhOYrF75Vgtt3lL/LIzBAf HJCog9BWalb1XaF9Suvr+sud69tEzJHiXsHiYZ4U2A18ujQR24zA3hBPpcxn45RT 7Pld26scQeVBxUzKI7stNIA4JyP4YcMCZMoA2XQfMOho1LZC8W6TIhUQPZww3YxM bbMTHxxnuAf9mJqgxyePgWTXncIXuppjsw+pD1dSNVnF726kabRINBv7hDBeSu6H ibufZqIA156iUehg9IKAc843E9JlIfxTHXX/v9DlqqH02aBJXBHmWJDnwjLNCaNZ DwzX32chXJmdFuZuN13Q5ZvJeFpJp5+NoN2Ym/Lti2zDbYqHW2OaVywSFWBbNnNl bbMJDWKLEHoA5dcHCH1wRFsPc/npc3TDg8CPE65/3DKLk72CRxytzs+wX1TaO1+D 8lmspddKr2diZi882BjF =Us9K -----END PGP SIGNATURE-----