This is a discussion on ISC statement about BIND9's recent -P1 releases - DNS ; ISC began work on the -P1 patches immediately upon being made aware of the Kaminsky vulnerability. Our immediate goal was to make patches publicly available as soon as possible. During the development cycle we became aware of a potential performance ...
ISC began work on the -P1 patches immediately upon being made aware of
the Kaminsky vulnerability. Our immediate goal was to make patches
publicly available as soon as possible. During the development cycle we
became aware of a potential performance issue on high-traffic recursive
servers, defined as those seeing a query volume of greater than
10,000/queries per second. Given the limited time frame and associated
risks we chose to finish the patches ASAP and accelerate our work on the
next point releases that would address the high-volume server
performance concerns. It is a credit to the hard work of our
engineering staff that the betas for the next point releases, 9.4.3b2 &
9.5.1b1, came out so close to the patched versions.
Once the patched versions became publicly available additional
performance issues related to port allocation became apparent in the
patch releases. A quick and simple fix for most would be to install one
of the beta releases. ISC understands that for many organizations
running a beta version of BIND in their production environment is not an
option. In order to provide solutions for those users in the shortest
possible time frame, ISC will release a second set of patched versions
labeled P2. ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2 and
9.5.0-P2 at the end of this week. The key features of the -P2 release
are as follows:
- performance improvement over the P1 releases, namely
+ significantly remedying the port allocation issues
+ allowing TCP queries and zone transfers while issuing as many
outstanding UDP queries as possible
+ additional security of port randomization at the same level as the P1
UNTIL THE RELEASE OF THE -P2 CODE, IT IS IMPERATIVE THAT YOU RUN A -P1
VERSION OF BIND ON YOUR CACHING RESOLVERS. THE VULNERABILITY IS OF MORE
CONCERN THAN A SLOW SERVER.
SPECIAL NOTE: 9.5.0-P2 will also include discovered and fixed bugs in
the 9.5.0 base code. We appreciate the community assistance in
reporting these bugs and working with us as we addressed them.
- IF you are NOT experiencing any issues with the 9.5.0-P1, we recommend
that you continue as you are and install the -P2 version when it is
- IF you are experiencing any problems with 9.5.0-P1, ISC recommends
that you roll-back to 9.4.2-P1 and not run the 9.5.0-P1 code at this time.
- IF you are running 9.4.3b2 or 9.5.1b1 without issues, continue as you
are and wait for the next beta, release candidate or production release
of that version.
- On the download page, we will be adding the following: 9.5.0-P1 is NOT
recommended for Windows environments, there will be a follow-on release
for Windows available shortly.
Thank you for your continued support.