Understanding SERVFAIL (for google)
Mark_Andrews at isc.org
Thu Mar 31 05:27:19 UTC 2005
> On Thu, Mar 31, 2005 at 12:29:46PM +1000, Mark Andrews wrote:
> > > 9.2.2-P3-1 on Debian Stable.
> > >
> > > I'm trying to understand how to debug this.
> > Before attempting to debug this upgrade. Why anyone would
> > want to continue running old code with lots of known bugs
> > is beyond me.
> Hi Mark,
> That's the trade off with tracking the Debian Stable packages with
> only security updates, of course.
If you want to be secure with externally accessable components
then keeping them up to date is generally the best policy.
Named, I am sure, is inspected by black hats at every release
for fixes that may expose remote holes. While we also do
this and issue advisaries when we find something, we won't
guarantee that we havn't missed a case. Staying up to date
limits your exposure.
> Are you saying that the problem I'm seeing is due to running Debian's
> version of Bind? Or just that the version in Debian Stable is not capable
> of debugging the problem?
> Bill Moseley
> moseley at hank.org
Well there are bug fixes in there that may fix your problem.
I'm pretty sure Debian (as do most Linux vendors) has
threading enabled in the server and a number of major race
conditions have been removed since 9.2.2. All of these can
take down named.
Sometimes I feel we should just issue a security advisary
so that people will just upgrade. Running old code is a
security risk in its own right.
It's also frustrating when people don't upgrade as it takes
resources to maintain seperate branches for bug fixes.
People and vendors complained when we were adding both
features and fixes. Reasonably I might add. Now you have
a choice fixes only or fixes + features.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users