Unbound not always resolving immediately after start.
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Tue Sep 22 07:30:48 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Tomas,
On 15/09/15 09:55, Tomas Hozza via Unbound-users wrote:
> On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote:
>> Hi,
>>
>> SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500.
>> This fix essentially limits number of query (to authoritative
>> servers) to resolve target qname. If a qname requires many query
>> to resolve it becomes SERVFAIL This situation often occurs when
>> cache is empty (e.g. just after starting unbound or cache flush)
>>
>> bind-users have discussed same issue last year:
>> https://lists.isc.org/pipermail/bind-users/2014-December/thread.html
>>
>>
>>
Possible workarounds are to increase MAX_TARGET_COUNT
>> (iterator/iterator.h) to relax number of query limitation but it
>> may reduce robustness against CVE-2014-8500-related attack.
>
> I think it is worth considering not having to recompile Unbound. It
> would be much nicer to have this configurable in unbound.conf.
> Something similar like BIND allows by max-recursion-queries
> option.
What value should we use for MAX_TARGET_COUNT? I'll increase the
compiled default to that value. Easier than a configuration option
that the user can get wrong and then be vulnerable.
Best regards,
Wouter
>
> Tomas
>
>> Regards, -- Daisuke HIIGASHI
>>
>>
>> 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users
>> <unbound-users at unbound.net>:
>>> Hi,
>>>
>>> Under FreeBSD I'm setting up a resolv-only unbound server.
>>> While testing I've noticed some domain do not resolve (server
>>> returns SERVFAIL)
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWAQOoAAoJEJ9vHC1+BF+NQoMP/1JPBhD+Hdd7f8yDqKhZHGhx
MJ2C58U1vqZJoNheroWhg0Z6gD4e4A4WsGLSb1Ij/85IuM9vkFZl4eHtzqPXt5ZA
TbEQ8QOfeaf5EcZgBp6AySsEfK5xTITTP9vWygO4/S1N6ppm+F1oKR7rGchQvA1E
aNfiWQb/M/ldU3j+qZHn/6KJV1TU/H140/qe7VsbJLJ61d505A7mKhINSf+EmfeB
myb7lOYF+ximLTeE//JBX0orQS8sfFmVWns6oaNSA9lhOYrF75Vgtt3lL/LIzBAf
HJCog9BWalb1XaF9Suvr+sud69tEzJHiXsHiYZ4U2A18ujQR24zA3hBPpcxn45RT
7Pld26scQeVBxUzKI7stNIA4JyP4YcMCZMoA2XQfMOho1LZC8W6TIhUQPZww3YxM
bbMTHxxnuAf9mJqgxyePgWTXncIXuppjsw+pD1dSNVnF726kabRINBv7hDBeSu6H
ibufZqIA156iUehg9IKAc843E9JlIfxTHXX/v9DlqqH02aBJXBHmWJDnwjLNCaNZ
DwzX32chXJmdFuZuN13Q5ZvJeFpJp5+NoN2Ym/Lti2zDbYqHW2OaVywSFWBbNnNl
bbMJDWKLEHoA5dcHCH1wRFsPc/npc3TDg8CPE65/3DKLk72CRxytzs+wX1TaO1+D
8lmspddKr2diZi882BjF
=Us9K
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list