Trying to understand DNSSEC and BIND versions better
Chris Buxton
cbuxton at menandmice.com
Fri Jun 12 18:57:37 UTC 2009
On Jun 12, 2009, at 1:50 AM, Adam Tkac wrote:
> On Wed, Jun 10, 2009 at 08:37:52PM -0700, Chris Buxton wrote:
>> A few of our customers, running servers that they describe as
>> experiencing high traffic (by their own standards), have had to
>> have us
>> rebuild BIND from the stock source code for them to solve frequent
>> crashing during such high traffic episodes. Frequent in this case
>> typically means that named either just dies or dumps core within a
>> few
>> seconds of starting up.
>
> Have you ever reported the problems to the Red Hat or Debian bug
> tracker? Generally you don't have to be experienced programmer. Your
> bug report can contain, for example, "named crashed with this INSIST
> failure: ..." only. Your vendor will ask you more information if
> needed.
Since the servers that have been affected were not mine, I did not do
so.
> I think it is a good idea to use package from your vendor because
> you don't have to watch bind-announce, don't have to compile each
> time when bind is updated etc. You can simply run "yum update" or
> "apt-get upgrade" and you can be sure you have software without
> security issues. But feel free to compile named yourself if you prefer
> this approach.
There's a definite argument in favor of this. However, this assumes
that the vendors are on the ball. For example, for a long time after
9.3.5-P2 was released, the RH build of BIND on RHEL 5 was still using
the -P1 patch. This was a real problem for a small number of our
customers.
For most servers, the vendor-supplied builds work fine. But IMO for
high-traffic servers, it makes sense for the server administrator to
do it himself. This would be true whether or not the vendor supplied
build had stability problems on that server.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list