bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset))failed

[michoski]

On 11/16/11 5:14 AM, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
> On 16/11/11 13:07, Warren Kumari wrote:
>> It was (very convincingly!) explained to me that INSISTS() are only
>> used for the "this should not happen" cases, and if the INSISTS()
>> were not there, many of the recent attacks may have led to much worse
>> things like buffer overflows / more worrying security issues (and
>> that the push for INSIST() was directly from this sort of thing in
>> 8.xŠ).

Having spent much time with 8.x, makes sense to me.

> I tend to agree with this kind of reasoning.
> 
> It might be good if bind were able to re-start itself, rather than dying
> outright (e.g. re-exec the process) but that is dangerous too; it's
> better done by an unrelated supervising process.

Init, daemontools, etc...  Easy enough, but identifying and fixing the issue
is of course the real goal.  Long-term mitigation is annoying.  ;-)

I'm glad to hear it sounds like BIND 10 DTRT (real solution via R&D), this
is first big item to make me track it seriously.

Needless to say, I'm adding new log monitoring to my 9.8.1 boxes!

-- 
By nature, men are nearly alike;
by practice, they get to be wide apart.
        -- Confucius