From: Ondřej Surý Date: Wed, 28 Jan 2026 14:04:58 +0000 (+0100) Subject: Enable minimal ANY answers by default X-Git-Tag: v9.21.18~4^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bebf8ee9d729a6e623cc16a8e08d40442073197;p=thirdparty%2Fbind9.git Enable minimal ANY answers by default ANY queries are widely abused by attackers doing reflection attacks as they return the largest answers. Enable minimal ANY answers by default to reduce the attack surface of the DNS servers. --- diff --git a/bin/include/defaultconfig.h b/bin/include/defaultconfig.h index fb1ede220cc..c92aeaea054 100644 --- a/bin/include/defaultconfig.h +++ b/bin/include/defaultconfig.h @@ -154,7 +154,7 @@ options {\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ min-cache-ttl 0; /* 0 seconds */\n\ - minimal-any false;\n\ + minimal-any yes;\n\ minimal-responses no-auth-recursive;\n\ notify-source *;\n\ notify-source-v6 *;\n\ diff --git a/bin/tests/system/digdelv/ns2/named.conf.j2 b/bin/tests/system/digdelv/ns2/named.conf.j2 index 47b0449ffb3..07a6228ac17 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.j2 +++ b/bin/tests/system/digdelv/ns2/named.conf.j2 @@ -21,6 +21,7 @@ options { listen-on-v6 { fd92:7065:b8e:ffff::2; }; recursion no; dnssec-validation no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/digdelv/ns3/named.conf.j2 b/bin/tests/system/digdelv/ns3/named.conf.j2 index 90a3fa30669..4105ada269c 100644 --- a/bin/tests/system/digdelv/ns3/named.conf.j2 +++ b/bin/tests/system/digdelv/ns3/named.conf.j2 @@ -20,6 +20,7 @@ options { recursion yes; dnssec-validation no; server-id "ns3"; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/dnssec/ns1/named.conf.j2 b/bin/tests/system/dnssec/ns1/named.conf.j2 index bd1ccc40810..f78cc0acd66 100644 --- a/bin/tests/system/dnssec/ns1/named.conf.j2 +++ b/bin/tests/system/dnssec/ns1/named.conf.j2 @@ -21,6 +21,8 @@ options { pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2 index 8507c768f0b..7594ba276fd 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.j2 +++ b/bin/tests/system/dnssec/ns2/named.conf.j2 @@ -22,11 +22,12 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; notify-delay 1; - minimal-responses no; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 9cbc58892c8..286a3f589ab 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -24,11 +24,12 @@ options { listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; session-keyfile "session.key"; - minimal-responses no; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index b4aa86146a5..91e2e7d953f 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -26,8 +26,9 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; - recursion yes; + minimal-any no; minimal-responses no; + recursion yes; {% if accept_expired %} dnssec-accept-expired yes; diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2 index a0332d9d6ff..5429d021fa1 100644 --- a/bin/tests/system/dnssec/ns5/named.conf.j2 +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -24,6 +24,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; minimal-responses no; servfail-ttl 0; diff --git a/bin/tests/system/dnssec/ns6/named.conf.j2 b/bin/tests/system/dnssec/ns6/named.conf.j2 index c3c0da6e44e..2fb2cf54131 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.j2 +++ b/bin/tests/system/dnssec/ns6/named.conf.j2 @@ -21,6 +21,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.6; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; notify yes; disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; diff --git a/bin/tests/system/dnssec/ns9/named.conf.j2 b/bin/tests/system/dnssec/ns9/named.conf.j2 index 2a335b5a9ff..c69135f92d1 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.j2 +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -23,6 +23,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.9; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; dnssec-validation yes; forward only; diff --git a/bin/tests/system/resolver/ns1/named.conf.j2 b/bin/tests/system/resolver/ns1/named.conf.j2 index 2bb2ce1f86b..26a8ce72f64 100644 --- a/bin/tests/system/resolver/ns1/named.conf.j2 +++ b/bin/tests/system/resolver/ns1/named.conf.j2 @@ -32,6 +32,7 @@ options { attach-cache "globalcache"; max-recursion-queries 100; request-zoneversion yes; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns11/named.conf.j2 b/bin/tests/system/resolver/ns11/named.conf.j2 index 14ed048629a..b6dba3be70f 100644 --- a/bin/tests/system/resolver/ns11/named.conf.j2 +++ b/bin/tests/system/resolver/ns11/named.conf.j2 @@ -21,4 +21,5 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns4/named.conf.j2 b/bin/tests/system/resolver/ns4/named.conf.j2 index 67cbee88703..38b24d64c5b 100644 --- a/bin/tests/system/resolver/ns4/named.conf.j2 +++ b/bin/tests/system/resolver/ns4/named.conf.j2 @@ -23,6 +23,7 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/resolver/ns5/named.conf.j2 b/bin/tests/system/resolver/ns5/named.conf.j2 index 21c5fe87357..47fa54dc2f1 100644 --- a/bin/tests/system/resolver/ns5/named.conf.j2 +++ b/bin/tests/system/resolver/ns5/named.conf.j2 @@ -28,6 +28,7 @@ options { responselog yes; request-nsid yes; request-zoneversion yes; + minimal-any no; }; // Don't break tests which depend on ans10 by requesting diff --git a/bin/tests/system/resolver/ns6/named.conf.j2 b/bin/tests/system/resolver/ns6/named.conf.j2 index 34552af1b7d..19c2da95871 100644 --- a/bin/tests/system/resolver/ns6/named.conf.j2 +++ b/bin/tests/system/resolver/ns6/named.conf.j2 @@ -27,6 +27,7 @@ options { statistics-file "named.stats"; max-udp-size 4096; responselog no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/resolver/ns7/named.conf.j2 b/bin/tests/system/resolver/ns7/named.conf.j2 index b9938520d64..9ae4fcfb9e0 100644 --- a/bin/tests/system/resolver/ns7/named.conf.j2 +++ b/bin/tests/system/resolver/ns7/named.conf.j2 @@ -32,6 +32,7 @@ options { prefetch 0; querylog yes; edns-udp-size 4096; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns9/named.conf.j2 b/bin/tests/system/resolver/ns9/named.conf.j2 index c1e79febec3..af61088eaf0 100644 --- a/bin/tests/system/resolver/ns9/named.conf.j2 +++ b/bin/tests/system/resolver/ns9/named.conf.j2 @@ -23,6 +23,7 @@ options { dnssec-validation no; dual-stack-servers { fd92:7065:b8e:ffff::7; }; qname-minimization off; + minimal-any no; }; diff --git a/bin/tests/system/rpz/ns1/named.conf.j2 b/bin/tests/system/rpz/ns1/named.conf.j2 index e7af61d0737..55e5b607198 100644 --- a/bin/tests/system/rpz/ns1/named.conf.j2 +++ b/bin/tests/system/rpz/ns1/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; dnssec-validation no; }; diff --git a/bin/tests/system/rpz/ns10/named.conf.j2 b/bin/tests/system/rpz/ns10/named.conf.j2 index 2cbb6ee838a..89fe12fc3b2 100644 --- a/bin/tests/system/rpz/ns10/named.conf.j2 +++ b/bin/tests/system/rpz/ns10/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns2/named.conf.j2 b/bin/tests/system/rpz/ns2/named.conf.j2 index 617edd9e9d2..633d2f437b2 100644 --- a/bin/tests/system/rpz/ns2/named.conf.j2 +++ b/bin/tests/system/rpz/ns2/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2 index 2f8879b081e..3e8bce35edf 100644 --- a/bin/tests/system/rpz/ns3/named.conf.j2 +++ b/bin/tests/system/rpz/ns3/named.conf.j2 @@ -29,6 +29,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpz/ns4/named.conf.j2 b/bin/tests/system/rpz/ns4/named.conf.j2 index a5ef523ced3..0f37c97db41 100644 --- a/bin/tests/system/rpz/ns4/named.conf.j2 +++ b/bin/tests/system/rpz/ns4/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns5/named.conf.j2 b/bin/tests/system/rpz/ns5/named.conf.j2 index e1a727f0df8..441da7e156c 100644 --- a/bin/tests/system/rpz/ns5/named.conf.j2 +++ b/bin/tests/system/rpz/ns5/named.conf.j2 @@ -29,6 +29,7 @@ options { ixfr-from-differences yes; notify-delay 0; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns6/named.conf.j2 b/bin/tests/system/rpz/ns6/named.conf.j2 index 01497b20588..29fa84820d4 100644 --- a/bin/tests/system/rpz/ns6/named.conf.j2 +++ b/bin/tests/system/rpz/ns6/named.conf.j2 @@ -24,6 +24,7 @@ options { allow-transfer { any; }; forward only; forwarders { 10.53.0.3; }; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns7/named.conf.j2 b/bin/tests/system/rpz/ns7/named.conf.j2 index b648abd1455..f48edead00c 100644 --- a/bin/tests/system/rpz/ns7/named.conf.j2 +++ b/bin/tests/system/rpz/ns7/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on { 10.53.0.7; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns8/named.conf.j2 b/bin/tests/system/rpz/ns8/named.conf.j2 index ef6bc3f795c..574c84ab700 100644 --- a/bin/tests/system/rpz/ns8/named.conf.j2 +++ b/bin/tests/system/rpz/ns8/named.conf.j2 @@ -27,6 +27,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpz/ns9/named.conf.j2 b/bin/tests/system/rpz/ns9/named.conf.j2 index b26129d1db0..0c747d45aab 100644 --- a/bin/tests/system/rpz/ns9/named.conf.j2 +++ b/bin/tests/system/rpz/ns9/named.conf.j2 @@ -27,6 +27,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpzextra/ns2/named.conf.j2 b/bin/tests/system/rpzextra/ns2/named.conf.j2 index 6317563dc99..5ad99a4ad9f 100644 --- a/bin/tests/system/rpzextra/ns2/named.conf.j2 +++ b/bin/tests/system/rpzextra/ns2/named.conf.j2 @@ -30,6 +30,7 @@ options { notify no; dnssec-validation no; allow-query { any; }; + minimal-any no; }; zone "allowed" { diff --git a/bin/tests/system/rpzextra/ns3/named.conf.j2 b/bin/tests/system/rpzextra/ns3/named.conf.j2 index cd459bcda65..ba477461006 100644 --- a/bin/tests/system/rpzextra/ns3/named.conf.j2 +++ b/bin/tests/system/rpzextra/ns3/named.conf.j2 @@ -30,6 +30,7 @@ options { notify no; dnssec-validation no; allow-query { any; }; + minimal-any no; recursion yes; allow-recursion { any; }; empty-zones-enable false; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index d9061215c5b..6e14b129590 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2093,7 +2093,7 @@ Boolean Options necessarily the smallest available RRset.) Additionally, :any:`minimal-responses` is turned on for these queries, so no unnecessary records are added to the authority or additional - sections. The default is ``no``. + sections. The default is ``yes``. .. namedconf:statement:: notify :tags: transfer