File descriptors

Todd canadaboy at gmail.com
Thu Feb 26 18:08:40 UTC 2009 

So, before I'm allowed to even think about 9.4.3-P1, because of the
outage we experienced 9.4.2-P2, I need to run through a full test
suite/load testing in my lab.  I am trying to find a succinct list of
the differences between 9.4.2-P2 and 9.4.3-P1 so I know where I should
be focusing my testing.

>From the release notes, I see quite a few changes were made.  What
changes I am interested in are the ones that might change the normal
behaviour of bind and/or cause it to fail again.

Not being a developer myself, I can't necessarily understand the
impact of the changes in the release notes for 9.4.3 and 9.4.3-p1, so
I don't know what the impact is to the overall service.

Can anyone In The Know help with a friendlier list of the functional
changes that may/may not have been made?

Many thanks,

T.

On Wed, Feb 25, 2009 at 5:43 PM, JINMEI Tatuya / 神明達哉
<Jinmei_Tatuya at isc.org> wrote:
> At Wed, 25 Feb 2009 09:20:52 -0500,
> Todd <canadaboy at gmail.com> wrote:
>
>> My apologies again, you are correct.  I ran a named -v on the boxes,
>> forgetting that we were directly calling bind in a non-path.  We are
>> in fact using 9.4.2-P2 on everything, patched to protect against
>> kaminsky.  We will look at an upgrade program to get these boxes
>> (about 80 servers, unfortunately the majority of our infastructure)
>> upgraded to protect against this.
>>
>> Are there any suggestions that anyone can provide to mitigate against
>> this coming up until such a time that we can upgrade?
>
> - make sure the 'files' named.conf option is set to a small value (the
>  default value should be fine)
> - unless you need many number of TCP connections (which is unlikely if
>  named is caching-only server) decrease the value for
>  reserved-sockets (allowable minimum is 128 if I remember it
>  correctly, which should be fine)
>
> In addition, if your OS is Linux, the following two *MUST* also be
> done:
>
> - make sure named is built with some large number for
>  ISC_SOCKET_FDSETSIZE.
> - if your named is built with threads, make sure the allowable number
>  of open files ('ulimit -n') is sufficiently large before starting
>  named.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>

More information about the bind-users mailing list