Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[question] new bind option "max-recursion-depth"

787 views
Skip to first unread message

Techs_Maru

unread,
Dec 15, 2014, 9:13:22 PM12/15/14
to bind-...@lists.isc.org
Hi, Bind-user folks,

I have a question, about Vulnerability CVE-2014-8500 new bind option
"max-recursion-depth",
I do not know this option meaning.

I read ARM Documents....
I used Bind Version is 9.9.6-P1.
------------------------------

max-recursion-depth Sets the maximum number of levels of recursion
that are permitted at any one time while servicing a recursive query.
Resolving a name may require looking up a name server address, which
in turn requires resolving another name, etc; if the number of
indirections exceeds this value, the recursive query is terminated and
returns SERVFAIL. The default is 7.

max-recursion-queries Sets the maximum number of iterative queries
that may be sent while servicing a recursive query. If more queries
are sent, the recursive query is terminated and returns SERV- FAIL.
The default is 50.

------------------------------

Probably meaning of "max-recursion-queries" is Iterative query max
attempt from Cahce Servers.
and also, this configuration option it could be confirmed that is to
be test servers result "Servfail".

But, "max-recursion-depth",
However, it tried but it did not become a Servfail.
Meaning of is is "Indirections" is described in the document, it means
that when the authority server that does not come directly returns the
IP address, such as the NS and CNAME?
Default 7 times the number of times that follow that?

Please tell me I think it's my lack of knowledge.
I want to know if there is a recommended setting value of everyone

regards.

Evan Hunt

unread,
Dec 16, 2014, 1:34:59 AM12/16/14
to Techs_Maru, bind-...@lists.isc.org
On Tue, Dec 16, 2014 at 11:13:17AM +0900, Techs_Maru wrote:
> But, "max-recursion-depth",
> However, it tried but it did not become a Servfail.
> Meaning of is is "Indirections" is described in the document, it means
> that when the authority server that does not come directly returns the
> IP address, such as the NS and CNAME?
> Default 7 times the number of times that follow that?

Suppose a zone is served by name servers in another zone:

example.com. IN NS ns1.example.org.
example.com. IN NS ns2.example.org.

So named has to look up ns1.example.org to find that name server.
That adds a layer of recursion depth. Now, if example.org is served
out of yet another zone:

example.org. IN NS ns1.example.net.
example.org. IN NS ns2.example.net.

...that adds another layer. Named will give up after 7 such
indirections.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

Techs_Maru

unread,
Dec 16, 2014, 11:30:42 PM12/16/14
to Evan Hunt, bind-...@lists.isc.org
Hi,Evan,

Thank you for replying.

I was able to understand,
try setting to test servers.
Thanks.

However,
if the value of the default "7" would be the value that was created
based on the world data ?
( Also for the default value of "max-recursion-queries 50;" )

I want to know the recommended settings for everyone to values.

regards.

//// Maru

Evan Hunt

unread,
Dec 17, 2014, 1:16:08 AM12/17/14
to Techs_Maru, bind-...@lists.isc.org
On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote:
> However,
> if the value of the default "7" would be the value that was created
> based on the world data ?
> ( Also for the default value of "max-recursion-queries 50;" )

I haven't personally seen any real world queries go more than 4
levels deep, but I wouldn't be surprised if there are a were domains
out there that do. 7 seemed like a safe upper limit.

The default max-recursion-queries value of 50, we got by testing with a
sample of real-world resolver traffic. It turns out it isn't quite right,
though. A limit of 50 works fine with a populated cache (which is
how we were testing it), but if the server is just starting up and the
nameservers for .com and .org and .net and so on aren't in cache yet,
then it *can* take more than 50 queries to resolve a name. (This turns
out to be especially true on 9.10, due to changes in EDNS processing
that affect how much NS glue we get from servers in the early stages of
populating the cache.) We'll be making some adjustments in upcoming
maintenance releases to allow for this.

> I want to know the recommended settings for everyone to values.

I'd leave the defaults alone on BIND 9.9. On 9.10, I might consider
increasing max-recursion-queries to 100, but be prepared to back the
change out when updating to the next release. Or leave the defaults
alone but be prepared for the possibility of some SERVFAIL responses in
the first few minutes after server startup.

Barry Margolin

unread,
Dec 17, 2014, 3:32:40 AM12/17/14
to comp-protoc...@isc.org
In article <mailman.1295.1418796...@lists.isc.org>,
Evan Hunt <ea...@isc.org> wrote:

> On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote:
> > However,
> > if the value of the default "7" would be the value that was created
> > based on the world data ?
> > ( Also for the default value of "max-recursion-queries 50;" )
>
> I haven't personally seen any real world queries go more than 4
> levels deep, but I wouldn't be surprised if there are a were domains
> out there that do. 7 seemed like a safe upper limit.

Didn't someone post a problem they were having a few days ago because of
a chain of Akamai CNAMEs that exceeded the limit?

--
Barry Margolin
Arlington, MA

Evan Hunt

unread,
Dec 17, 2014, 1:12:19 PM12/17/14
to Barry Margolin, comp-protoc...@isc.org
On Wed, Dec 17, 2014 at 03:32:30AM -0500, Barry Margolin wrote:
> Didn't someone post a problem they were having a few days ago because of
> a chain of Akamai CNAMEs that exceeded the limit?

Recursion depth is about how many layers deep you have to go to
resolve an NS address. CNAME chains have different limits on them.

I should have followed up on that other thread, actually. The problem with
9.10 was mostly due to a change we made to improve latency when dealing
with bad connections and broken servers: when talking to a server for the
first time, 9.10 starts out using smaller packet sizes and works its way up
if they're successful, whereas 9.9 and earlier would start with large
packet sizes and work its way down if they failed.

The result is that 9.10 gets answers more quickly in the average case,
but in the short-lived pessimal case where the cache is completely empty,
there are drawbacks. Responses to our queries start out small, so they
don't have as much space to hold name server addresses, so we have to send
follow-up queries to get that information; this counts toward the query
limits. So, early queries against an empty cache are at an unfair
disadvantage with respect to the max-recursion-queries counter.

9.10.2 has a fix that should make things better. The code's already been
pushed to the git repository at source.isc.org, in case anyone wants to try
it now. I expect to release a beta version either next week or after the
holidays.

Barry Margolin

unread,
Dec 17, 2014, 5:20:18 PM12/17/14
to comp-protoc...@isc.org
In article <mailman.1299.1418839...@lists.isc.org>,
Evan Hunt <ea...@isc.org> wrote:

> On Wed, Dec 17, 2014 at 03:32:30AM -0500, Barry Margolin wrote:
> > Didn't someone post a problem they were having a few days ago because of
> > a chain of Akamai CNAMEs that exceeded the limit?
>
> Recursion depth is about how many layers deep you have to go to
> resolve an NS address. CNAME chains have different limits on them.

But each CNAME is in a different domain, and their nameservers were in
yet other domains. So while resolving the CNAME chain, you also have to
perform several levels of recursion.

Does the max-recursion-depth limit apply to all of these combined, or
does each step in the chain start at zero?

Evan Hunt

unread,
Dec 17, 2014, 7:08:19 PM12/17/14
to Barry Margolin, comp-protoc...@isc.org
On Wed, Dec 17, 2014 at 05:20:09PM -0500, Barry Margolin wrote:
> But each CNAME is in a different domain, and their nameservers were in
> yet other domains. So while resolving the CNAME chain, you also have to
> perform several levels of recursion.
>
> Does the max-recursion-depth limit apply to all of these combined, or
> does each step in the chain start at zero?

It limits how deep the server will go at any one time. If looking up a
name server requires looking up a second name server which requires looking
up a third, they're each pushed on to a stack. Eventually (one hopes), you
reach bottom and pop back up. If it turns out the name you asked for is
a CNAME, then you start a new stack while you resolve the CNAME target.
As long as the stack never exceeds seven layers of recursion, you're
fine.

Techs_Maru

unread,
Dec 17, 2014, 9:15:27 PM12/17/14
to Evan Hunt, bind-...@lists.isc.org
Hi,
Thanks to me to politely reply.

2014-12-17 15:16 GMT+09:00 Evan Hunt <ea...@isc.org>:
> On Wed, Dec 17, 2014 at 01:30:35PM +0900, Techs_Maru wrote:
>> However,
>> if the value of the default "7" would be the value that was created
>> based on the world data ?
>> ( Also for the default value of "max-recursion-queries 50;" )
>
> I haven't personally seen any real world queries go more than 4
> levels deep, but I wouldn't be surprised if there are a were domains
> out there that do. 7 seemed like a safe upper limit.
>
> The default max-recursion-queries value of 50, we got by testing with a
> sample of real-world resolver traffic. It turns out it isn't quite right,
> though. A limit of 50 works fine with a populated cache (which is
> how we were testing it), but if the server is just starting up and the
> nameservers for .com and .org and .net and so on aren't in cache yet,
> then it *can* take more than 50 queries to resolve a name. (This turns
> out to be especially true on 9.10, due to changes in EDNS processing
> that affect how much NS glue we get from servers in the early stages of
> populating the cache.) We'll be making some adjustments in upcoming
> maintenance releases to allow for this.
>
>> I want to know the recommended settings for everyone to values.
>
> I'd leave the defaults alone on BIND 9.9. On 9.10, I might consider
> increasing max-recursion-queries to 100, but be prepared to back the
> change out when updating to the next release. Or leave the defaults
> alone but be prepared for the possibility of some SERVFAIL responses in
> the first few minutes after server startup.

Sorry,Lack of knowledge,
9.10.X and 9.9.x QueryFlow is different ??

By the way,
value even in the case of dual-stack name servers is okay without changing ?

regards.
0 new messages