File descriptors
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Wed Feb 25 22:43:51 UTC 2009
At Wed, 25 Feb 2009 09:20:52 -0500,
Todd <canadaboy at gmail.com> wrote:
> My apologies again, you are correct. I ran a named -v on the boxes,
> forgetting that we were directly calling bind in a non-path. We are
> in fact using 9.4.2-P2 on everything, patched to protect against
> kaminsky. We will look at an upgrade program to get these boxes
> (about 80 servers, unfortunately the majority of our infastructure)
> upgraded to protect against this.
>
> Are there any suggestions that anyone can provide to mitigate against
> this coming up until such a time that we can upgrade?
- make sure the 'files' named.conf option is set to a small value (the
default value should be fine)
- unless you need many number of TCP connections (which is unlikely if
named is caching-only server) decrease the value for
reserved-sockets (allowable minimum is 128 if I remember it
correctly, which should be fine)
In addition, if your OS is Linux, the following two *MUST* also be
done:
- make sure named is built with some large number for
ISC_SOCKET_FDSETSIZE.
- if your named is built with threads, make sure the allowable number
of open files ('ulimit -n') is sufficiently large before starting
named.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list