'Re: Unbound not always resolving immediately after start.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       unbound-users
Subject:    Re: Unbound not always resolving immediately after start.
From:       "W.C.A. Wijngaards via Unbound-users" <unbound-users () unbound ! net>
Date:       2015-09-22 7:30:48
Message-ID: 560103A8.1060105 () nlnetlabs ! nl
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tomas,

On 15/09/15 09:55, Tomas Hozza via Unbound-users wrote:
> On 14.09.2015 14:15, Daisuke HIGASHI via Unbound-users wrote:
>> Hi,
>> 
>> SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. 
>> This fix essentially limits number of query (to authoritative
>> servers) to resolve target qname. If a qname requires many query
>> to resolve it becomes SERVFAIL This situation often occurs when
>> cache is empty (e.g. just after starting unbound or cache flush)
>> 
>> bind-users have discussed same issue last year: 
>> https://lists.isc.org/pipermail/bind-users/2014-December/thread.html
>>
>>
>> 
Possible workarounds are to increase MAX_TARGET_COUNT
>> (iterator/iterator.h) to relax number of query limitation but it
>> may reduce robustness against CVE-2014-8500-related attack.
> 
> I think it is worth considering not having to recompile Unbound. It
> would be much nicer to have this configurable in unbound.conf. 
> Something similar like BIND allows by max-recursion-queries
> option.

What value should we use for MAX_TARGET_COUNT?   I'll increase the
compiled default to that value.  Easier than a configuration option
that the user can get wrong and then be vulnerable.

Best regards,
   Wouter

> 
> Tomas
> 
>> Regards, -- Daisuke HIIGASHI
>> 
>> 
>> 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users 
>> <unbound-users@unbound.net>:
>>> Hi,
>>> 
>>> Under FreeBSD I'm setting up a resolv-only unbound server.
>>> While testing I've noticed some domain do not resolve (server
>>> returns SERVFAIL)
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWAQOoAAoJEJ9vHC1+BF+NQoMP/1JPBhD+Hdd7f8yDqKhZHGhx
MJ2C58U1vqZJoNheroWhg0Z6gD4e4A4WsGLSb1Ij/85IuM9vkFZl4eHtzqPXt5ZA
TbEQ8QOfeaf5EcZgBp6AySsEfK5xTITTP9vWygO4/S1N6ppm+F1oKR7rGchQvA1E
aNfiWQb/M/ldU3j+qZHn/6KJV1TU/H140/qe7VsbJLJ61d505A7mKhINSf+EmfeB
myb7lOYF+ximLTeE//JBX0orQS8sfFmVWns6oaNSA9lhOYrF75Vgtt3lL/LIzBAf
HJCog9BWalb1XaF9Suvr+sud69tEzJHiXsHiYZ4U2A18ujQR24zA3hBPpcxn45RT
7Pld26scQeVBxUzKI7stNIA4JyP4YcMCZMoA2XQfMOho1LZC8W6TIhUQPZww3YxM
bbMTHxxnuAf9mJqgxyePgWTXncIXuppjsw+pD1dSNVnF726kabRINBv7hDBeSu6H
ibufZqIA156iUehg9IKAc843E9JlIfxTHXX/v9DlqqH02aBJXBHmWJDnwjLNCaNZ
DwzX32chXJmdFuZuN13Q5ZvJeFpJp5+NoN2Ym/Lti2zDbYqHW2OaVywSFWBbNnNl
bbMJDWKLEHoA5dcHCH1wRFsPc/npc3TDg8CPE65/3DKLk72CRxytzs+wX1TaO1+D
8lmspddKr2diZi882BjF
=Us9K
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic