Educause Security Discussion mailing list archives
Re: regarding the critical DNS protocol vulnerability
From: Shumon Huque <shuque () ISC UPENN EDU>
Date: Sat, 12 Jul 2008 22:03:44 -0400
On Fri, Jul 11, 2008 at 11:17:35AM -0700, Keir Novik wrote: [...]
We ran out of file descriptors with 9.4.2-P1 and 9.5.0-P1 on a few servers Jul 9 09:42:17 named: [daemon.error] socket: too many open file descriptors and are now running 9.4.3b2 on them, although we've seen BIND crash once. For more information on file descriptor limits for Solaris, see http://blogs.sun.com/mandalika/entry/solaris_workaround_to_stdio_s
This article refers to a file descriptor limit in stdio (the standard I/O library), so it applies to stdio functions like fopen() etc. It doesn't apply to socket(), which is what BIND would be using. The Solaris operating system open file descriptor limit is much larger. The default soft limit appears to be only 256 but programs can change that with setrlimit() up to 65536, which is it what BIND appears to be doing. BIND uses the select() system call to manage open sockets. select() has a built-in limit of descriptors that it can handle. The default appears to be 1024 for 32-bit programs, and 65536 for 64-bit programs. And the 32-bit limit can be increased by compiling C programs with a redefined FD_SETSIZE pre-processor definition. I've been running bind-9.4.2-P1 for a few days on a few Solaris 10 systems. I've observed the nameserver exceed 500 descriptors without any problems. --Shumon.
Current thread:
- regarding the critical DNS protocol vulnerability Doug Pearson (Jul 10)
- <Possible follow-ups>
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russ Harvey (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Dick Jacobson (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Keir Novik (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Lutinski, Steven T (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Shumon Huque (Jul 12)