Educause Security Discussion mailing list archives

Re: regarding the critical DNS protocol vulnerability

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 11 Jul 2008 19:17:21 +1200

On 11/07/2008, at 4:17 PM, Russ Harvey wrote:

Unfortunately the ISC fixes we tried for BIND did not work. We are
running
9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We
found
either exhausted file descriptors, EDNS handling bugs, or just plain
poor
performance. We are back to 9.4.1-P1.

Anyone else having problems with patching BIND for this problem?


we are using RHE 5 and applied their standard updates without
problems.  I warned our admins about the potential performance issues
and they upgraded just one of the four to see how it went.  Everything
was OK so we upgraded the other 3 too.  Typically our servers get
around 10,000 queries per minute...

Russell

Current thread:

regarding the critical DNS protocol vulnerability Doug Pearson (Jul 10)
- <Possible follow-ups>
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russ Harvey (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Dick Jacobson (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Keir Novik (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Lutinski, Steven T (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Shumon Huque (Jul 12)