Understanding SERVFAIL (for google)

Mark Andrews Mark_Andrews at isc.org
Thu Mar 31 05:27:19 UTC 2005

> On Thu, Mar 31, 2005 at 12:29:46PM +1000, Mark Andrews wrote:
> > 
> > > 9.2.2-P3-1 on Debian Stable.
> > > 
> > > I'm trying to understand how to debug this.
> > 
> > 	Before attempting to debug this upgrade.  Why anyone would
> > 	want to continue running old code with lots of known bugs
> > 	is beyond me.
> Hi Mark,
> That's the trade off with tracking the Debian Stable packages with
> only security updates, of course.

	If you want to be secure with externally accessable components
	then keeping them up to date is generally the best policy.
	Named, I am sure, is inspected by black hats at every release
	for fixes that may expose remote holes.  While we also do
	this and issue advisaries when we find something, we won't
	guarantee that we havn't missed a case.  Staying up to date
	limits your exposure.

> Are you saying that the problem I'm seeing is due to running Debian's
> version of Bind?  Or just that the version in Debian Stable is not capable
> of debugging the problem?
> Thanks,
> -- 
> Bill Moseley
> moseley at hank.org

	Well there are bug fixes in there that may fix your problem.

	I'm pretty sure Debian (as do most Linux vendors) has
	threading enabled in the server and a number of major race
	conditions have been removed since 9.2.2.  All of these can
	take down named.

	Sometimes I feel we should just issue a security advisary
	so that people will just upgrade.  Running old code is a
	security risk in its own right.

	It's also frustrating when people don't upgrade as it takes
	resources to maintain seperate branches for bug fixes.
	People and vendors complained when we were adding both
	features and fixes.  Reasonably I might add.  Now you have
	a choice fixes only or fixes + features.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list