Re: regarding the critical DNS protocol vulnerability

[Shumon Huque <shuque () ISC UPENN EDU>]

On Fri, Jul 11, 2008 at 11:17:35AM -0700, Keir Novik wrote:
[...]
> We ran out of file descriptors with 9.4.2-P1 and 9.5.0-P1 on a few
> servers
>
> Jul  9 09:42:17 named: [daemon.error] socket: too many open file
> descriptors
>
> and are now running 9.4.3b2 on them, although we've seen BIND crash
> once.  For more information on file descriptor limits for Solaris, see
>
> http://blogs.sun.com/mandalika/entry/solaris_workaround_to_stdio_s

This article refers to a file descriptor limit in stdio (the standard
I/O library), so it applies to stdio functions like fopen() etc. It
doesn't apply to socket(), which is what BIND would be using.

The Solaris operating system open file descriptor limit is much larger.
The default soft limit appears to be only 256 but programs can change
that with setrlimit() up to 65536, which is it what BIND appears to be
doing.

BIND uses the select() system call to manage open sockets. select()
has a built-in limit of descriptors that it can handle. The default
appears to be 1024 for 32-bit programs, and 65536 for 64-bit programs.
And the 32-bit limit can be increased by compiling C programs with a
redefined FD_SETSIZE pre-processor definition.

I've been running bind-9.4.2-P1 for a few days on a few Solaris 10
systems. I've observed the nameserver exceed 500 descriptors without
any problems.

--Shumon.