Unbound not always resolving immediately after start.
Tomas Hozza
thozza at redhat.com
Tue Sep 15 07:55:23 UTC 2015
On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote:
> Hi,
>
> SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500.
> This fix essentially limits number of query (to authoritative servers)
> to resolve target qname. If a qname requires many query to resolve
> it becomes SERVFAIL This situation often occurs when cache is empty
> (e.g. just after starting unbound or cache flush)
>
> bind-users have discussed same issue last year:
> https://lists.isc.org/pipermail/bind-users/2014-December/thread.html
>
> Possible workarounds are to increase MAX_TARGET_COUNT
> (iterator/iterator.h) to relax number of query limitation but it may
> reduce robustness against CVE-2014-8500-related attack.
I think it is worth considering not having to recompile Unbound.
It would be much nicer to have this configurable in unbound.conf.
Something similar like BIND allows by max-recursion-queries option.
Tomas
> Regards,
> --
> Daisuke HIIGASHI
>
>
> 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users
> <unbound-users at unbound.net>:
>> Hi,
>>
>> Under FreeBSD I'm setting up a resolv-only unbound server. While testing
>> I've noticed some domain do not resolve (server returns SERVFAIL)
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
More information about the Unbound-users
mailing list