Educause Security Discussion mailing list archives
Re: regarding the critical DNS protocol vulnerability
From: Keir Novik <novik () SFU CA>
Date: Fri, 11 Jul 2008 11:17:35 -0700
On 10-Jul-08, at 9:17 PM, Russ Harvey wrote:
Unfortunately the ISC fixes we tried for BIND did not work. We are running 9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We found either exhausted file descriptors, EDNS handling bugs, or just plain poor performance. We are back to 9.4.1-P1. Anyone else having problems with patching BIND for this problem?
We saw lots of EDNS messages with 9.5.0-P1, and have now stopped logging them. Jul 8 15:54:58 named: [daemon.info] edns-disabled: info: too many timeouts resolving 'ns1.hserv8.com.br/AAAA' (in 'hserv8.com.br'?): disabling EDNS We ran out of file descriptors with 9.4.2-P1 and 9.5.0-P1 on a few servers Jul 9 09:42:17 named: [daemon.error] socket: too many open file descriptors and are now running 9.4.3b2 on them, although we've seen BIND crash once. For more information on file descriptor limits for Solaris, see http://blogs.sun.com/mandalika/entry/solaris_workaround_to_stdio_s Regards, Keir -- Dr. Keir Novik / Network Services, Simon Fraser University
Current thread:
- regarding the critical DNS protocol vulnerability Doug Pearson (Jul 10)
- <Possible follow-ups>
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russ Harvey (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Dick Jacobson (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Keir Novik (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Lutinski, Steven T (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Shumon Huque (Jul 12)