Educause Security Discussion mailing list archives

Re: regarding the critical DNS protocol vulnerability

From: Keir Novik <novik () SFU CA>
Date: Fri, 11 Jul 2008 11:17:35 -0700

On 10-Jul-08, at 9:17 PM, Russ Harvey wrote:

Unfortunately the ISC fixes we tried for BIND did not work. We are
running
9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We
found
either exhausted file descriptors, EDNS handling bugs, or just
plain poor
performance. We are back to 9.4.1-P1.

Anyone else having problems with patching BIND for this problem?


We saw lots of EDNS messages with 9.5.0-P1, and have now stopped
logging them.

Jul  8 15:54:58 named: [daemon.info] edns-disabled: info: too many
timeouts resolving 'ns1.hserv8.com.br/AAAA' (in 'hserv8.com.br'?):
disabling EDNS

We ran out of file descriptors with 9.4.2-P1 and 9.5.0-P1 on a few
servers

Jul  9 09:42:17 named: [daemon.error] socket: too many open file
descriptors

and are now running 9.4.3b2 on them, although we've seen BIND crash
once.  For more information on file descriptor limits for Solaris, see

http://blogs.sun.com/mandalika/entry/solaris_workaround_to_stdio_s

Regards,
Keir

--
Dr. Keir Novik / Network Services, Simon Fraser University

Current thread:

regarding the critical DNS protocol vulnerability Doug Pearson (Jul 10)
- <Possible follow-ups>
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russ Harvey (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Dick Jacobson (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Keir Novik (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Lutinski, Steven T (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Shumon Huque (Jul 12)