Hi Greg,

Thanks so much, your last paragraph makes sense.
I guess what I would expect, and excuse me if this reasoning is flawed, is
that BIND could use different queues/priorities for external/internal
domains. E.g. if after parsing the necessary query fields I see that I'm
authoritative for the requested zone, and I have its data stored locally, I
can reply straight away without a timeout/SERVFAIL and keep my internal
".local" domains running OK, while other queries that have to go to the
root servers would go straight to the recursive-clients quota.

Anyway, thanks a lot for your reply and for running the Internet for so
many years :D

Thanks!
Pedro



El vie, 8 nov 2024 a las 11:43, Greg Choules (<g...@isc.org>) escribió:

> Hello Pedro.
> Firstly, which version of BIND are you running?
> Generally, though, increasing `recursive-clients` on a box with a decent
> amount of power and RAM is not an issue: 50k, or even bigger, should be
> fine. But please test it first. We have discussed raising the default but
> we’re not quite ready to make that change in a major release just yet.
>
> Be aware, though, that if the resolver can’t get answers, it will probably
> SERVFAIL clients and the larger the backlog of clients the longer it will
> take to get around to responding to them, by which time they are likely to
> have timed out and be retrying anyway.
>
> I hope that helps.
> Greg
>
> > On 8 Nov 2024, at 10:20, Pedro García Segura <pedr...@gmail.com> wrote:
> >
> > Hello,
> >
> > Recently we had a Internet outage that lasted for a few hours and
> quickly filled the recursive clients quota (set at 1000) since most
> internet-bound recursive queries timed out, and our network is huge.
> >
> > This also affected recursive queries to internal authoritative domains,
> thus interrupting access to critical internal resources which don't have
> any Internet/SaaS dependencies.
> >
> > I'm having a hard time understanding the default recursive max quota
> being set at 100 by default, since most modern servers now have RAM to
> spare, and it's a bit scary to think that another Internet outage may
> happen again and internal critical services may not be able to resolve
> internal authoritative zones.
> >
> > Can anyone give some insight into this issue? Can I just configure a
> huge number of maximum recursive clientes (say 50k) to "absorb" the
> intetnet-bound queries that are timing out and be able to respond to client
> requests for internal authoritative zones?
> >
> > I'm probably missing something, so thanks a lot for your understanding!
> >
> > Cheers!
> > Pedro
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to