bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset))failed
michoski
michoski at cisco.com
Wed Nov 16 18:59:04 UTC 2011
On 11/16/11 5:14 AM, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
> On 16/11/11 13:07, Warren Kumari wrote:
>> It was (very convincingly!) explained to me that INSISTS() are only
>> used for the "this should not happen" cases, and if the INSISTS()
>> were not there, many of the recent attacks may have led to much worse
>> things like buffer overflows / more worrying security issues (and
>> that the push for INSIST() was directly from this sort of thing in
>> 8.x).
Having spent much time with 8.x, makes sense to me.
> I tend to agree with this kind of reasoning.
>
> It might be good if bind were able to re-start itself, rather than dying
> outright (e.g. re-exec the process) but that is dangerous too; it's
> better done by an unrelated supervising process.
Init, daemontools, etc... Easy enough, but identifying and fixing the issue
is of course the real goal. Long-term mitigation is annoying. ;-)
I'm glad to hear it sounds like BIND 10 DTRT (real solution via R&D), this
is first big item to make me track it seriously.
Needless to say, I'm adding new log monitoring to my 9.8.1 boxes!
--
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius
More information about the bind-users
mailing list