Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

Dennis Clarke dclarke at blastwave.org
Wed Feb 23 05:08:46 UTC 2011 

> Hi Dennis,
>
> Thank you for getting 9.7.3 out on Solaris, that is a huge help in
> getting this important update out there.

I have been running 9.7.3 for a few days now on all my production DNS
servers ( a bunch ) and a few in client sites in Europe. All seems to be
running very well and the upgrade was silky smooth.  A measure of awesome
software to be true.

# uname -a
SunOS callistoz 5.10 Generic_144488-04 sun4u sparc SUNW,Sun-Fire-480R
# /opt/csw/sbin/rndc -s 127.0.0.1 -k /etc/opt/csw/rndc.key status
version: 9.7.3
CPUs found: 4
worker threads: 4
number of zones: 44
debug level: 1
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

$ pkginfo -l CSWbind
   PKGINST:  CSWbind
      NAME:  bind - ISC BIND 9.7.3 DNS main package
  CATEGORY:  application
      ARCH:  sparc
   VERSION:  9.7.3,REV=2011.02.19
   BASEDIR:  /opt/csw
    VENDOR:  http://www.isc.org/software/bind packaged by Blastwave.org Inc.
      DESC:  CSWbind - ISC BIND 9.7.3 DNS main package
    PSTAMP:  mimas20110219031415
  INSTDATE:  Feb 19 2011 16:57
   HOTLINE:  http://www.blastwave.org/
     EMAIL:  support at blastwave.org
    STATUS:  completely installed
     FILES:      361 installed pathnames
                   9 shared pathnames
                  23 linked files
                  17 directories
                  34 executables
               28684 blocks used (approx)

This has been tested all the way back to Solaris 8 on i386 and sparc so it
looks very solid.

The 9.7.3 packages are released a few minutes ago to the primary site at
download.blastwave.org and it will be in the various US universities and
then the other 50 or so mirrors within six hours. More or less.

> I do not know the answer to your question about the NIST CVE listings,
> but I will inquire. Our CVE numbers actually come to us from
> Carnegie-Mellon CERT, not NIST, but NIST does keep an up to date list
> generally.
>
> I'll also post here if/when I find out more.

thank you and stay in touch !

-- 
Dennis Clarke
dclarke at opensolaris.ca  <- Email related to the open source Solaris
dclarke at blastwave.org   <- Email related to open source for Solaris

More information about the bind-users mailing list