Thank you for this analysis. On Wed, Apr 03, 2019 at 01:56:14PM -0700, Wes Hardaker wrote:
Evan, at the IETF, reported in a few meetings and conversations that they had discovered a bug in bind previously that would exhibit this roll-over-and-die type behavior but that it was only present in out-of-date versions of bind (9.10 and below I believe he stated).
I think we have a case of two different bugs with superficially similar effects. I haven't yet been able to reproduce yours (maybe it's specific to Fedora somehow, or maybe I just haven't hit the right combination yet). Mine causes named to go into a tight loop sending DNSKEY queries forever, starting immediately on startup. It doesn't ever quiet down, even temporarily, and it doesn't depend on incoming queries - it just spins. Once the revoked key is removed, it stops. Based on sheer volume, I would guess this was a bigger contributor to the observed increase in DNSKEY traffic than the bug you discovered, though yours is odd, and definitely warrants further investigation. The looping bug was fixed in 9.10.2 and (if I recall correctly) 9.9.7, and was never in the 9.11 branch. I saw a list of "version.bind" responses from servers that were sending the most DNSKEY queries, and the worst offenders were older than that. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.