At Wed, 25 Feb 2009 09:20:52 -0500, Todd <canada...@gmail.com> wrote:
> My apologies again, you are correct. I ran a named -v on the boxes, > forgetting that we were directly calling bind in a non-path. We are > in fact using 9.4.2-P2 on everything, patched to protect against > kaminsky. We will look at an upgrade program to get these boxes > (about 80 servers, unfortunately the majority of our infastructure) > upgraded to protect against this. > > Are there any suggestions that anyone can provide to mitigate against > this coming up until such a time that we can upgrade? - make sure the 'files' named.conf option is set to a small value (the default value should be fine) - unless you need many number of TCP connections (which is unlikely if named is caching-only server) decrease the value for reserved-sockets (allowable minimum is 128 if I remember it correctly, which should be fine) In addition, if your OS is Linux, the following two *MUST* also be done: - make sure named is built with some large number for ISC_SOCKET_FDSETSIZE. - if your named is built with threads, make sure the allowable number of open files ('ulimit -n') is sufficiently large before starting named. --- JINMEI, Tatuya Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users