URGENT, PLEASE READ: 9.5.0-P1 now available

Walter Gould gouldwp at auburn.edu
Wed Jul 9 15:56:30 UTC 2008 

I upgraded this morning from 9.5.0 to 9.5.0-P1 and shortly after began 
receiving the below errors.  Would anybody know why?  Also - this killed 
external name resolution for us.  Thanks in advance.

Jul  9 09:17:53 dns named: named startup succeeded
Jul  9 09:19:24 dns named[25109]: error: socket.c:2105: unexpected error:
Jul  9 09:19:24 dns named[25109]: error: internal_accept: fcntl() 
failed: Too many open files
Jul  9 09:20:28 dns named[25109]: error: socket.c:2105: unexpected error:
Jul  9 09:20:28 dns named[25109]: error: internal_accept: fcntl() 
failed: Too many open files
Jul  9 09:25:28 dns named[25109]: error: socket.c:2105: unexpected error:
Jul  9 09:25:28 dns named[25109]: error: internal_accept: fcntl() 
failed: Too many open files
Jul  9 09:35:27 dns named[25109]: error: socket.c:2105: unexpected error:
Jul  9 09:35:27 dns named[25109]: error: internal_accept: fcntl() 
failed: Too many open files
Jul  9 09:35:27 dns named[25109]: error: socket.c:2105: unexpected error:
Jul  9 09:35:27 dns named[25109]: error: internal_accept: fcntl() 
failed: Too many open files


Walter Gould
Auburn University


Evan Hunt wrote:
> 	    BIND 9.5.0-P1 is now available.
>
>     BIND 9.5.0-P1 is a SECURITY release of BIND 9.5.
>
>   URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
>   URGENT                                                                URGENT 
>   URGENT    THIS ANNOUNCEMENT REFERS TO AN ISSUE THAT MAY AFFECT THE    URGENT 
>   URGENT           INTEGRITY OF YOUR RECURSIVE DNS SERVICE              URGENT 
>   URGENT                                                                URGENT 
>   URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
>
>     Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
>     aware of a potential attack exploiting weaknesses in the DNS protocol
>     itself to enable the poisoning of caching recurive resolvers with
>     spoofed data.
>
>     For additional information about this vulnerability, see US-CERT
>     (CERT VU#800113 DNS Cache Poisoning Issue).  For more details on
>     changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.
>
>     IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.
>
>     DNSSEC is the only definitive solution for this issue.  Understanding
>     that immediate DNSSEC deployment is not a realistic expectation, ISC
>     is releasing patched versions of BIND that improve its resilience
>     against this attack.  The method used makes it harder to spoof answers
>     to a resolver by expanding the range of UDP ports from which queries
>     are sent by the nameserver, thereby increasing the variability of
>     parameters in outgoing queries.
>
>     The code implementing the improved defenses against spoofing attacks
>     is the only change between this release and the underlying version
>     (9.5.0).
>
>     The patch will have a noticeable impact on the performance of BIND
>     caching resolvers with query rates at or above 10,000 queries per
>     second.  If performance at this level is critical for you, please
>     refer to the new beta releases of BIND (9.5.1b1 or 9.4.3b2; see
>     separate announcements).
>
>     YOU ARE ADVISED TO INSTALL EITHER THIS SECURITY PATCH OR ONE OF THE
>     BETA RELEASES (9.5.1b1 or 9.4.3b2), IMMEDIATELY.
>
> BIND 9.5.0-P1 can be downloaded from
>
>         ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz
>
> The PGP signature of the distribution is at
>
>         ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.asc
>         ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha256.asc
>         ftp://ftp.isc.org/isc/bind9/9.5.0-P1/bind-9.5.0-P1.tar.gz.sha512.asc
>
> The signature was generated with the ISC public key, which is
> available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.
>
> A binary kit for Windows 2000, Windows XP and Window 2003 is at
>
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip
>
> The PGP signature of the binary kit for Windows 2000, Windows XP and
> Window 2003 is at
>         
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.asc
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha256.asc
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.zip.sha512.asc
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.asc
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha256.asc
> 	ftp://ftp.isc.org/isc/bind9/9.5.0-P1/BIND9.5.0-P1.debug.zip.sha512.asc
>
> Changes since 9.5.0:
>
> 	--- 9.5.0-P1 released ---
>
> 2375.   [security]      Fully randomize UDP query ports to improve
> 			forgery resilience. [RT #17949]
>
>
>   


-- 
Walter P. Gould
Info. Tech. Specialist
Office of Information Technology
Auburn University, AL
gouldwp at auburn.edu
www.auburn.edu/~gouldwp
334-844-9327

More information about the bind-users mailing list