Unbound not always resolving immediately after start.

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Sep 22 07:30:48 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tomas,

On 15/09/15 09:55, Tomas Hozza via Unbound-users wrote:
> On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote:
>> Hi,
>> 
>> SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. 
>> This fix essentially limits number of query (to authoritative
>> servers) to resolve target qname. If a qname requires many query
>> to resolve it becomes SERVFAIL This situation often occurs when
>> cache is empty (e.g. just after starting unbound or cache flush)
>> 
>> bind-users have discussed same issue last year: 
>> https://lists.isc.org/pipermail/bind-users/2014-December/thread.html
>>
>>
>> 
Possible workarounds are to increase MAX_TARGET_COUNT
>> (iterator/iterator.h) to relax number of query limitation but it
>> may reduce robustness against CVE-2014-8500-related attack.
> 
> I think it is worth considering not having to recompile Unbound. It
> would be much nicer to have this configurable in unbound.conf. 
> Something similar like BIND allows by max-recursion-queries
> option.

What value should we use for MAX_TARGET_COUNT?   I'll increase the
compiled default to that value.  Easier than a configuration option
that the user can get wrong and then be vulnerable.

Best regards,
   Wouter

> 
> Tomas
> 
>> Regards, -- Daisuke HIIGASHI
>> 
>> 
>> 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users 
>> <unbound-users at unbound.net>:
>>> Hi,
>>> 
>>> Under FreeBSD I'm setting up a resolv-only unbound server.
>>> While testing I've noticed some domain do not resolve (server
>>> returns SERVFAIL)
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWAQOoAAoJEJ9vHC1+BF+NQoMP/1JPBhD+Hdd7f8yDqKhZHGhx
MJ2C58U1vqZJoNheroWhg0Z6gD4e4A4WsGLSb1Ij/85IuM9vkFZl4eHtzqPXt5ZA
TbEQ8QOfeaf5EcZgBp6AySsEfK5xTITTP9vWygO4/S1N6ppm+F1oKR7rGchQvA1E
aNfiWQb/M/ldU3j+qZHn/6KJV1TU/H140/qe7VsbJLJ61d505A7mKhINSf+EmfeB
myb7lOYF+ximLTeE//JBX0orQS8sfFmVWns6oaNSA9lhOYrF75Vgtt3lL/LIzBAf
HJCog9BWalb1XaF9Suvr+sud69tEzJHiXsHiYZ4U2A18ujQR24zA3hBPpcxn45RT
7Pld26scQeVBxUzKI7stNIA4JyP4YcMCZMoA2XQfMOho1LZC8W6TIhUQPZww3YxM
bbMTHxxnuAf9mJqgxyePgWTXncIXuppjsw+pD1dSNVnF726kabRINBv7hDBeSu6H
ibufZqIA156iUehg9IKAc843E9JlIfxTHXX/v9DlqqH02aBJXBHmWJDnwjLNCaNZ
DwzX32chXJmdFuZuN13Q5ZvJeFpJp5+NoN2Ym/Lti2zDbYqHW2OaVywSFWBbNnNl
bbMJDWKLEHoA5dcHCH1wRFsPc/npc3TDg8CPE65/3DKLk72CRxytzs+wX1TaO1+D
8lmspddKr2diZi882BjF
=Us9K
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list