URGENT, PLEASE READ: 9.5.0-P1 now available
Walter Gould
gouldwp at auburn.edu
Wed Jul 9 15:56:30 UTC 2008
I upgraded this morning from 9.5.0 to 9.5.0-P1 and shortly after began
receiving the below errors. Would anybody know why? Also - this killed
external name resolution for us. Thanks in advance.
Jul 9 09:17:53 dns named: named startup succeeded
Jul 9 09:19:24 dns named[25109]: error: socket.c:2105: unexpected error:
Jul 9 09:19:24 dns named[25109]: error: internal_accept: fcntl()
failed: Too many open files
Jul 9 09:20:28 dns named[25109]: error: socket.c:2105: unexpected error:
Jul 9 09:20:28 dns named[25109]: error: internal_accept: fcntl()
failed: Too many open files
Jul 9 09:25:28 dns named[25109]: error: socket.c:2105: unexpected error:
Jul 9 09:25:28 dns named[25109]: error: internal_accept: fcntl()
failed: Too many open files
Jul 9 09:35:27 dns named[25109]: error: socket.c:2105: unexpected error:
Jul 9 09:35:27 dns named[25109]: error: internal_accept: fcntl()
failed: Too many open files
Jul 9 09:35:27 dns named[25109]: error: socket.c:2105: unexpected error:
Jul 9 09:35:27 dns named[25109]: error: internal_accept: fcntl()
failed: Too many open files
Walter Gould
Auburn University
Evan Hunt wrote:
> BIND 9.5.0-P1 is now available.
>
> BIND 9.5.0-P1 is a SECURITY release of BIND 9.5.
>
> URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
> URGENT URGENT
> URGENT THIS ANNOUNCEMENT REFERS TO AN ISSUE THAT MAY AFFECT THE URGENT
> URGENT INTEGRITY OF YOUR RECURSIVE DNS SERVICE URGENT
> URGENT URGENT
> URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
>
> Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
> aware of a potential attack exploiting weaknesses in the DNS protocol
> itself to enable the poisoning of caching recurive resolvers with
> spoofed data.
>
> For additional information about this vulnerability, see US-CERT
> (CERT VU#800113 DNS Cache Poisoning Issue). For more details on
> changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.
>
> IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.
>
> DNSSEC is the only definitive solution for this issue. Understanding
> that immediate DNSSEC deployment is not a realistic expectation, ISC
> is releasing patched versions of BIND that improve its resilience
> against this attack. The method used makes it harder to spoof answers
> to a resolver by expanding the range of UDP ports from which queries
> are sent by the nameserver, thereby increasing the variability of
> parameters in outgoing queries.
>
> The code implementing the improved defenses against spoofing attacks
> is the only change between this release and the underlying version
> (9.5.0).
>
> The patch will have a noticeable impact on the performance of BIND
> caching resolvers with query rates at or above 10,000 queries per
> second. If performance at this level is critical for you, please
> refer to the new beta releases of BIND (9.5.1b1 or 9.4.3b2; see
> separate announcements).
>
> YOU ARE ADVISED TO INSTALL EITHER THIS SECURITY PATCH OR ONE OF THE
> BETA RELEASES (9.5.1b1 or 9.4.3b2), IMMEDIATELY.
>
> BIND 9.5.0-P1 can be downloaded from
>
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz
>
> The PGP signature of the distribution is at
>
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha512.asc
>
> The signature was generated with the ISC public key, which is
> available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.
>
> A binary kit for Windows 2000, Windows XP and Window 2003 is at
>
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip
>
> The PGP signature of the binary kit for Windows 2000, Windows XP and
> Window 2003 is at
>
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha512.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha512.asc
>
> Changes since 9.5.0:
>
> --- 9.5.0-P1 released ---
>
> 2375. [security] Fully randomize UDP query ports to improve
> forgery resilience. [RT #17949]
>
>
>
--
Walter P. Gould
Info. Tech. Specialist
Office of Information Technology
Auburn University, AL
gouldwp at auburn.edu
www.auburn.edu/~gouldwp
334-844-9327
More information about the bind-users
mailing list