[nsp-sec] Issues with BIND patching..
Florian Weimer
fweimer at bfk.de
Wed Jul 9 10:18:33 EDT 2008
* Huopio Kauto:
> Florian - we have received one report that the patches to BIND 9.4.2
> didn't work in a high-volume (> 10000 qps ) enviroment. No error
> messages, but dns usage tests failed from the end user viewpoint.
>
> Any comments/observations?
There is a rather cryptic note in the ISC announcement regarding this
topic. I think the patch deals poorly with the case when there are
sufficiently many parallel transactions and it becomes likely to hit a
source port which is already in use.
The BIND betas which have been published by ISC should address this
(9.4.3b2 and 9.51b1). They are better suited to stateless firewall
filtering as well.
Another workaround could be to split the client population into
several sets, and assign different views with different query source
addresses to them. However, the additional memory requires may be
prohibitive. It's probably better to use the betas because they are
at least somewhat tested.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list