Re: New BIND 4 8 Vulnerabilities
On Sun, 17 Nov 2002, Craig Sanders wrote: FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ?S466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ?S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ?R 49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. What did that ps v -Cnamed show on the earlier and later days? Jeremy C. Reed ... BSD software, documentation, resources, news... http://bsd.reedmedia.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Mon, Nov 18, 2002 at 11:06:06AM -0800, Jeremy C. Reed wrote: On Sun, 17 Nov 2002, Craig Sanders wrote: FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS%MEM COMMAND 6799 ? S 0:00 111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ? S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ? S 466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ? S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ? R49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. What did that ps v -Cnamed show on the earlier and later days? named (bind8) had been using about 150-160MB for over six months (it secondaries a huge 75MB zonefile). i had to upgrade the memory in that machine from 256MB to 512MB because of this...i finally got around to doing that 2 months ago. memory usage varied by no more than about 5MB at any given time, mostly due to variations in the size of the zonefile it secondaries. here's what i cut and pasted just before i upgraded to bind9: bind 8.3.3-2: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 437 ?R2245:18 25633 494 159393 83608 16.2 /usr/sbin/named and immediately after upgrading to bind9 9.2.1-5: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 192351 174124 33.9 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 192351 174124 33.9 /usr/sbin/named -u bind 6802 ?S 5:57189 232 192351 174124 33.9 /usr/sbin/named -u bind 6803 ?S 0:00 1 232 192351 174124 33.9 /usr/sbin/named -u bind 6804 ?S 0:16 1 232 192351 174124 33.9 /usr/sbin/named -u bind 4 days later, bind9 was consuming over 330MB as the quoted 'ps v' shows above. so i changed back to bind 8. i installed bind8 version 8.3.3-3 a few days ago, and memory consumption is back to what it was: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS%MEM COMMAND 32705 ? S114:42 842 494 157641 152428 29.7 /usr/sbin/named -u bind -g bind as far as i am concerned, this is sufficient evidence that bind9 has serious memory consumption problems. this is exactly why i stopped experimenting with earlier versions of bind9 on another machine over 6 months ago, and why i started experimenting with alternatives like djbdns and maradns (unfortunately, neither of these are adequate as complete replacements for bind - they make OK caching-only servers but i wouldn't use them as authoritative servers). this whole exercise has had one benefit at least, i finally set it up to run as user bind rather than as root. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Sun, 17 Nov 2002, Craig Sanders wrote: FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ?S466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ?S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ?R 49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. What did that ps v -Cnamed show on the earlier and later days? Jeremy C. Reed ... BSD software, documentation, resources, news... http://bsd.reedmedia.net/
Re: New BIND 4 8 Vulnerabilities
On Mon, Nov 18, 2002 at 11:06:06AM -0800, Jeremy C. Reed wrote: On Sun, 17 Nov 2002, Craig Sanders wrote: FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS%MEM COMMAND 6799 ? S 0:00 111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ? S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ? S 466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ? S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ? R49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. What did that ps v -Cnamed show on the earlier and later days? named (bind8) had been using about 150-160MB for over six months (it secondaries a huge 75MB zonefile). i had to upgrade the memory in that machine from 256MB to 512MB because of this...i finally got around to doing that 2 months ago. memory usage varied by no more than about 5MB at any given time, mostly due to variations in the size of the zonefile it secondaries. here's what i cut and pasted just before i upgraded to bind9: bind 8.3.3-2: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 437 ?R2245:18 25633 494 159393 83608 16.2 /usr/sbin/named and immediately after upgrading to bind9 9.2.1-5: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 192351 174124 33.9 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 192351 174124 33.9 /usr/sbin/named -u bind 6802 ?S 5:57189 232 192351 174124 33.9 /usr/sbin/named -u bind 6803 ?S 0:00 1 232 192351 174124 33.9 /usr/sbin/named -u bind 6804 ?S 0:16 1 232 192351 174124 33.9 /usr/sbin/named -u bind 4 days later, bind9 was consuming over 330MB as the quoted 'ps v' shows above. so i changed back to bind 8. i installed bind8 version 8.3.3-3 a few days ago, and memory consumption is back to what it was: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS%MEM COMMAND 32705 ? S114:42 842 494 157641 152428 29.7 /usr/sbin/named -u bind -g bind as far as i am concerned, this is sufficient evidence that bind9 has serious memory consumption problems. this is exactly why i stopped experimenting with earlier versions of bind9 on another machine over 6 months ago, and why i started experimenting with alternatives like djbdns and maradns (unfortunately, neither of these are adequate as complete replacements for bind - they make OK caching-only servers but i wouldn't use them as authoritative servers). this whole exercise has had one benefit at least, i finally set it up to run as user bind rather than as root. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 12:46:14PM +1100, Craig Sanders wrote: the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ?S466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ?S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ?R 49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. i'm going to revert back to bind 8 now that the patched 8.3.3-3 has been uploaded to unstable. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 12:46:14PM +1100, Craig Sanders wrote: the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. FYI, doesn't look like the memory leaks have been fixed: # ps v -Cnamed PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND 6799 ?S 0:00111 232 336175 200968 39.1 /usr/sbin/named -u bind 6801 ?S 0:00 0 232 336175 200968 39.1 /usr/sbin/named -u bind 6802 ?S466:10 2757 232 336175 200968 39.1 /usr/sbin/named -u bind 6803 ?S 0:04 1 232 336175 200968 39.1 /usr/sbin/named -u bind 6804 ?R 49:56 1 232 336175 200968 39.1 /usr/sbin/named -u bind this is on a machine where bind 8 used to use about 150MB. bind 9 has been running for only 4 days. i'm going to revert back to bind 8 now that the patched 8.3.3-3 has been uploaded to unstable. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 11:04:01AM +1100, Craig Sanders wrote: incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. perl -i ? -- Ted Deppner http://www.psyber.com/~ted/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Tue, Nov 12, 2002 at 08:09:59PM +0100, Tobias Kuhrmann [EMAIL PROTECTED] wrote a message of 59 lines which said: bind9 is also supporting ACL and other new features. so it is a good idea to use bind9.x.x instead of bind8.x.x Bind9 is *much* slower URL:http://www.ripe.net/ripe/meetings/archive/ripe-43/presentations/ripe43-dnr-nsd/ and had its share of security problems.
RE: New BIND 4 8 Vulnerabilities
the zonefile format had some slight incompatibilities - What are the incompatibilities between 8.3.3 and 9.x need editing, but a major PITA if you have hundreds. I have over 800. Andrew P. Kaplan You miss 100% of the shots you never take. Wayne Gretzky -Original Message- From: Craig Sanders [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 12, 2002 7:04 PM To: Sonny Kupka Cc: Jeff S Wheeler; debian-isp@lists.debian.org Subject: Re: New BIND 4 8 Vulnerabilities On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.408 / Virus Database: 230 - Release Date: 10/24/02 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.408 / Virus Database: 230 - Release Date: 10/24/02
Re: New BIND 4 8 Vulnerabilities
My BIND 8 zone files are working perfectly. We do have TTL values on every RR in every zone, though. Perhaps that was your difficulty? I believe I made that change when we upgraded from 4.x to 8.x ages ago. If there is no such script and you have difficulty with your zonefiles, let me know the apparent differences and I'd be happy to whip up a Perl script and post it to the debian-isp list. We have hundreds of zones as well, and if it there had been a file format problem, I would had to have done so in order to make the upgrade work. -- Jeff S Wheeler [EMAIL PROTECTED] On Tue, 2002-11-12 at 19:04, Craig Sanders wrote: On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch signature.asc Description: This is a digitally signed message part
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 11:04:01AM +1100, Craig Sanders wrote: incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. perl -i ? -- Ted Deppner http://www.psyber.com/~ted/
Re: New BIND 4 8 Vulnerabilities
Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
bind9 is also supporting ACL and other new features. so it is a good idea to use bind9.x.x instead of bind8.x.x // Tobias 'rippe' Kuhrmann -- BITKRAFT, IT SOLUTIONS Tobias Kuhrmann, Technical Director Immanuel-Kant. Str. 15 51427 Bergisch Gladbach http://www.bitkraft.de -Ursprüngliche Nachricht- Von: Sonny Kupka [mailto:sonny;nothnbut.net] Gesendet: Dienstag, 12. November 2002 19:54 An: Jeff S Wheeler; [EMAIL PROTECTED] Betreff: Re: New BIND 4 8 Vulnerabilities Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
I've taken Sonny's suggestion and upgraded to the bind9 package. Initially I thought I had a serious problem, as named was not answering any queries, however it seems to have fixed itself. Ordinarily that would spook me, but in this situation I think I'd rather have spooky software than known-to-be-exploitable software :-) Thanks for the suggestion, Sonny. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ On Tue, 2002-11-12 at 13:53, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ signature.asc Description: This is a digitally signed message part
Re: New BIND 4 8 Vulnerabilities
On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 11:04:01AM +1100, Craig Sanders wrote: On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig sanders [EMAIL PROTECTED] I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. -- tinus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 02:35:44AM +0100, gravity wrote: I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: New BIND 4 8 Vulnerabilities
If you already have the bind-9.2.x source, read the file doc/misc/migration. Regards, -- Thiago Lucas NOC - Matrix Internet S/A -Original Message- From: Jason Lim [mailto:maillist;jasonlim.com] Sent: Wednesday, November 13, 2002 1:26 AM To: Craig Sanders; gravity Cc: [EMAIL PROTECTED] Subject: Re: New BIND 4 8 Vulnerabilities I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
Only gotcha I remember running into is for some reason when I did an uninstall bind 8.* / install bind 9.2.1 For some reason there where 2 bind scripts in /etc/init.d/ one named bind and one bind9 it messed with named running right so I killed bind script and left the /etc/init.d/bind9 As always.. make a back up of your Master Zone Files and if you run into any major problems you have your MZF files to rely on :) --- Sonny At 02:26 PM 11/13/2002 +1100, you wrote: I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 02:26:25PM +1100, Jason Lim wrote: We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? it's pretty straight-forward. nowhere near the problem it was in earlier releases of bind 9.0 and 9.1 you have to do something like chmod -R a+rX /var/cache/bind so that user 'bind' can read the zonefiles. you also have to enable write access in the case of secondary zonefiles and named dump files (e.g. put secondaries in a subdirectory and make only that subdir writable by user bind). dynamic updated zonefiles also have to be writable by bind. (actually, bind9 9.2.1-2.woody.1 in stable doesn't run as user 'bind', it still runs as root. only bind 9.2.x in unstable runs as bind. i discovered that when i upgraded a woody server today to woody's bind9) bind9-doc has a migration file in /usr/share/doc/bind9-doc/misc/ which explains the differences. it's stricter in enforcing RFC compliance. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/
Re: New BIND 4 8 Vulnerabilities
bind9 is also supporting ACL and other new features. so it is a good idea to use bind9.x.x instead of bind8.x.x // Tobias 'rippe' Kuhrmann -- BITKRAFT, IT SOLUTIONS Tobias Kuhrmann, Technical Director Immanuel-Kant. Str. 15 51427 Bergisch Gladbach http://www.bitkraft.de -Ursprüngliche Nachricht- Von: Sonny Kupka [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. November 2002 19:54 An: Jeff S Wheeler; debian-isp@lists.debian.org Betreff: Re: New BIND 4 8 Vulnerabilities Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
I've taken Sonny's suggestion and upgraded to the bind9 package. Initially I thought I had a serious problem, as named was not answering any queries, however it seems to have fixed itself. Ordinarily that would spook me, but in this situation I think I'd rather have spooky software than known-to-be-exploitable software :-) Thanks for the suggestion, Sonny. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ On Tue, 2002-11-12 at 13:53, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. --- Sonny At 01:08 PM 11/12/2002 -0500, Jeff S Wheeler wrote: See ISC.ORG for information on new BIND vulnerabilities. Current bind package in woody is 8.3.3, which is an affected version. Patches are not available yet, it seems. http://www.isc.org/products/BIND/bind-security.html -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ signature.asc Description: This is a digitally signed message part
Re: New BIND 4 8 Vulnerabilities
On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 11:04:01AM +1100, Craig Sanders wrote: On Tue, Nov 12, 2002 at 12:53:51PM -0600, Sonny Kupka wrote: Why not use Bind 9.2.1.. It's in woody.. When I came over from Slackware to Debian I installed it and haven't looked back.. The file format was the same from 8.3.* to 9.2.1 I didn't have to do anything.. is this fully backwards-compatible? last time i looked at bind9, the zonefile format had some slight incompatibilities - no problem if you only have a few zonefiles that need editing, but a major PITA if you have hundreds. if there are zonefile incompatibilities, is there a script to assist in converting zonefiles? craig sanders [EMAIL PROTECTED] I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. -- tinus
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 02:35:44AM +0100, gravity wrote: I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: New BIND 4 8 Vulnerabilities
I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA.
RE: New BIND 4 8 Vulnerabilities
If you already have the bind-9.2.x source, read the file doc/misc/migration. Regards, -- Thiago Lucas NOC - Matrix Internet S/A -Original Message- From: Jason Lim [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 1:26 AM To: Craig Sanders; gravity Cc: debian-isp@lists.debian.org Subject: Re: New BIND 4 8 Vulnerabilities I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: New BIND 4 8 Vulnerabilities
Only gotcha I remember running into is for some reason when I did an uninstall bind 8.* / install bind 9.2.1 For some reason there where 2 bind scripts in /etc/init.d/ one named bind and one bind9 it messed with named running right so I killed bind script and left the /etc/init.d/bind9 As always.. make a back up of your Master Zone Files and if you run into any major problems you have your MZF files to rely on :) --- Sonny At 02:26 PM 11/13/2002 +1100, you wrote: I have a very straight setup but upgrading to bind 9 was done in under 4 seconds. (approx 50 domains). no troubles so far. yep, bind 9.2.x seems a lot better than 9.0 or 9.1. it seems to use more memory than bind8. i'm doing a trial upgrade (on another server by copying over zone files) right now. a few little gotchas (e.g. ownership/perms of zonefiles) , but easily fixed. i'll probably be ready to upgrade my main dns server in an hour or so. the main thing i'm worried about is that bind9 had enormous memory leaks when i tried 9.0 several months ago. i hope they're fixed now. We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? TIA.
Re: New BIND 4 8 Vulnerabilities
On Wed, Nov 13, 2002 at 02:26:25PM +1100, Jason Lim wrote: We're still on named 8.3.3-REL-NOESW (currently in stable). Is it much of a headache to upgrade to 9.2.x? Any particular procedure or guide you followed that could be read somewhere? it's pretty straight-forward. nowhere near the problem it was in earlier releases of bind 9.0 and 9.1 you have to do something like chmod -R a+rX /var/cache/bind so that user 'bind' can read the zonefiles. you also have to enable write access in the case of secondary zonefiles and named dump files (e.g. put secondaries in a subdirectory and make only that subdir writable by user bind). dynamic updated zonefiles also have to be writable by bind. (actually, bind9 9.2.1-2.woody.1 in stable doesn't run as user 'bind', it still runs as root. only bind 9.2.x in unstable runs as bind. i discovered that when i upgraded a woody server today to woody's bind9) bind9-doc has a migration file in /usr/share/doc/bind9-doc/misc/ which explains the differences. it's stricter in enforcing RFC compliance. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch