File descriptors
Todd
canadaboy at gmail.com
Thu Feb 26 18:08:40 UTC 2009
So, before I'm allowed to even think about 9.4.3-P1, because of the
outage we experienced 9.4.2-P2, I need to run through a full test
suite/load testing in my lab. I am trying to find a succinct list of
the differences between 9.4.2-P2 and 9.4.3-P1 so I know where I should
be focusing my testing.
>From the release notes, I see quite a few changes were made. What
changes I am interested in are the ones that might change the normal
behaviour of bind and/or cause it to fail again.
Not being a developer myself, I can't necessarily understand the
impact of the changes in the release notes for 9.4.3 and 9.4.3-p1, so
I don't know what the impact is to the overall service.
Can anyone In The Know help with a friendlier list of the functional
changes that may/may not have been made?
Many thanks,
T.
On Wed, Feb 25, 2009 at 5:43 PM, JINMEI Tatuya / 神明達哉
<Jinmei_Tatuya at isc.org> wrote:
> At Wed, 25 Feb 2009 09:20:52 -0500,
> Todd <canadaboy at gmail.com> wrote:
>
>> My apologies again, you are correct. I ran a named -v on the boxes,
>> forgetting that we were directly calling bind in a non-path. We are
>> in fact using 9.4.2-P2 on everything, patched to protect against
>> kaminsky. We will look at an upgrade program to get these boxes
>> (about 80 servers, unfortunately the majority of our infastructure)
>> upgraded to protect against this.
>>
>> Are there any suggestions that anyone can provide to mitigate against
>> this coming up until such a time that we can upgrade?
>
> - make sure the 'files' named.conf option is set to a small value (the
> default value should be fine)
> - unless you need many number of TCP connections (which is unlikely if
> named is caching-only server) decrease the value for
> reserved-sockets (allowable minimum is 128 if I remember it
> correctly, which should be fine)
>
> In addition, if your OS is Linux, the following two *MUST* also be
> done:
>
> - make sure named is built with some large number for
> ISC_SOCKET_FDSETSIZE.
> - if your named is built with threads, make sure the allowable number
> of open files ('ulimit -n') is sufficiently large before starting
> named.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
More information about the bind-users
mailing list