bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed
Paul Wouters
paul at xelerance.com
Wed Nov 16 16:47:34 UTC 2011
On Wed, 16 Nov 2011, David Ford wrote:
> can we have a paradigm shift from ISC please? instead of falling over
> dead with insist/assert, please bleat a warning and drop the problematic
> issue on the floor instead and press on with business. many BIND DoS
> attacks (and zone typos) are very effective for just this reason.
These however do guarantee internal state so any kind of new bug is much easier
to find and fix. Openswan does the same thing for this very reason. However,
openswan does have an init script that runs a while(1) loop over its daemon.
This means once we encounter unexpected state, we drop all state and restart.
Perhaps bind and/or distributions should also use such an init script. I would prefer
that over attempting to continue with a bad internal state and seeing apparent
random state/crashers later on in bind because it tried to continue after something
bad.
Paul
More information about the bind-users
mailing list