Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: regarding the critical DNS protocol vulnerability

From: "Lutinski, Steven T" <steve.lutinski () VERIZONBUSINESS COM>
Date: Fri, 11 Jul 2008 18:52:35 +0000
Can you please remove me?
Thanks

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Fri Jul 11 18:17:35 2008
Subject: Re: [SECURITY] regarding the critical DNS protocol vulnerability

On 10-Jul-08, at 9:17 PM, Russ Harvey wrote:


Unfortunately the ISC fixes we tried for BIND did not work. We are  
running
9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We  
found
either exhausted file descriptors, EDNS handling bugs, or just  
plain poor
performance. We are back to 9.4.1-P1.

Anyone else having problems with patching BIND for this problem?


We saw lots of EDNS messages with 9.5.0-P1, and have now stopped  
logging them.

Jul  8 15:54:58 named: [daemon.info] edns-disabled: info: too many  
timeouts resolving 'ns1.hserv8.com.br/AAAA' (in 'hserv8.com.br'?):  
disabling EDNS

We ran out of file descriptors with 9.4.2-P1 and 9.5.0-P1 on a few  
servers

Jul  9 09:42:17 named: [daemon.error] socket: too many open file  
descriptors

and are now running 9.4.3b2 on them, although we've seen BIND crash  
once.  For more information on file descriptor limits for Solaris, see

http://blogs.sun.com/mandalika/entry/solaris_workaround_to_stdio_s

Regards,
Keir

--
Dr. Keir Novik / Network Services, Simon Fraser University
Previous By Date Next
Previous By Thread Next

Current thread: