File descriptors
Todd
canadaboy at gmail.com
Wed Feb 25 14:20:52 UTC 2009
My apologies again, you are correct. I ran a named -v on the boxes,
forgetting that we were directly calling bind in a non-path. We are
in fact using 9.4.2-P2 on everything, patched to protect against
kaminsky. We will look at an upgrade program to get these boxes
(about 80 servers, unfortunately the majority of our infastructure)
upgraded to protect against this.
Are there any suggestions that anyone can provide to mitigate against
this coming up until such a time that we can upgrade?
Thank you,
Todd.
On Tue, Feb 24, 2009 at 11:01 PM, JINMEI Tatuya / 神明達哉
<Jinmei_Tatuya at isc.org> wrote:
> At Tue, 24 Feb 2009 15:10:36 -0500,
> Todd <canadaboy at gmail.com> wrote:
>
>> The servers in question are running a mix of BIND versions .. 9.2.3,
>> 9.2.4, 9.3.2, 9.3.4, 9.4.1, 9.4.2-p2, the majority are 9.3.4 and
>> 9.4.2-P2
>
> Then are confused somehow. Among above, the only version that could
> cause the "too many open file descriptors" problem is 9.4.2-P2 (this
> doesn't mean you can safely use the others; they are vulnerable to the
> so-called 'Kaminsky' caching poisoning attacks).
>
> Regarding 9.4.2-P2, I'd strongly recommend to upgrade to 9.4.3-P1.
> 9.4.2-P2 has a fundamental performance problem due to the use of
> inefficient socket API, which has been solved in 9.4.3 and onward.
> If you still have the same problem with 9.4.3-P1, please report it
> again.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
More information about the bind-users
mailing list