[ksk-rollover] Description of my analysis of the too-many-KSK queries problem

Evan Hunt each at isc.org
Thu Apr 4 16:18:20 UTC 2019

Thank you for this analysis.

On Wed, Apr 03, 2019 at 01:56:14PM -0700, Wes Hardaker wrote:
> Evan, at the IETF, reported in a few meetings and conversations that
> they had discovered a bug in bind previously that would exhibit this
> roll-over-and-die type behavior but that it was only present in
> out-of-date versions of bind (9.10 and below I believe he stated).

I think we have a case of two different bugs with superficially similar
effects.  I haven't yet been able to reproduce yours (maybe it's specific
to Fedora somehow, or maybe I just haven't hit the right combination
yet).  Mine causes named to go into a tight loop sending DNSKEY queries
forever, starting immediately on startup. It doesn't ever quiet down, even
temporarily, and it doesn't depend on incoming queries - it just spins.
Once the revoked key is removed, it stops.

Based on sheer volume, I would guess this was a bigger contributor to the
observed increase in DNSKEY traffic than the bug you discovered, though
yours is odd, and definitely warrants further investigation.

The looping bug was fixed in 9.10.2 and (if I recall correctly) 9.9.7, and
was never in the 9.11 branch.  I saw a list of "version.bind" responses
from servers that were sending the most DNSKEY queries, and the worst
offenders were older than that.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the ksk-rollover mailing list