9.2.5 db causes high cpu? was: Re: BIND 9.2.5rc1 is now available.

Jim Reid jim at rfc1035.com
Wed Feb 23 04:46:45 UTC 2005

>>>>> "Brad" == Brad Knowles <brad at stop.mail-abuse.org> writes:

    >> i should know this stuff.  i was a founder at nominum and i'm
    >> still an advisor there.  but i don't, so i'll ask.  isn't this
    >> the same as what late-model bind9 does by regenerating every
    >> response through the cache?  (bind4 and bind8 would forward raw
    >> results back to the stub resolver, and early bind9 did that,
    >> but as far as i know, we stopped a while ago.)

    Brad> 	I was speaking of the CNS "response validation"
    Brad> feature, which was also incorporated at one point into a
    Brad> firewall/security product whose purpose was to provide
    Brad> enhanced security to the systems sitting behind it (such as
    Brad> caching nameservers), as opposed to being intended to
    Brad> function as a replacement for the caching nameservers.

The response validation feature in Nominum's products is a fix for a
buffer overflow problem in the standard resolver library. See
http://www.cert.org/advisories/CA-2002-19.html. A carefully
constructed reply could provoke a buffer overflow or run arbitrary
code in the client doing the DNS lookup. This feature shouldn't be
needed any more as presumably everyone has installed an updated
resolver library by now.

More information about the bind-workers mailing list