Re: ISC statement about BIND9's recent -P1 releases - DNS

This is a discussion on Re: ISC statement about BIND9's recent -P1 releases - DNS ; Well... while it's http://www.zdnet.com.au/news/securit...blunder/0,1300 61744,339290928,00.htm> certainly "another view" on the same facts.. I find it a particularly distasteful one... Paul and the rest of the folks at ISC have worked to fix this problem as quickly as possible. The fact ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: ISC statement about BIND9's recent -P1 releases

  1. Re: ISC statement about BIND9's recent -P1 releases

    Well... while it's

    <http://www.zdnet.com.au/news/securit...blunder/0,1300
    61744,339290928,00.htm>

    certainly "another view" on the same facts.. I find it a particularly
    distasteful one...

    Paul and the rest of the folks at ISC have worked to fix this problem as
    quickly as possible. The fact that haste sometimes yields unforseen
    consequences was an unforutnate outcome of this particular effort.

    I'd like to thank the folks at ISC for responding quickly, with a good
    faith effort to fix the problem.. and for working a dual pronged effort
    such that the "quick fix" would be replaced in a timely manner with the
    definitive solution.

    The fact that the first effort had problems, is, in my opinion, "small
    potatoes" compared to usual "stone walling" you get from some vendors.

    Thanks, Paul, and the rest of the crew at ISC.

    Your work is appreciated.

    Steve Lancaster


    [In a message on Tue, 29 Jul 2008 20:51:00 BST,
    "Stephane Bortzmeyer" wrote:]
    >On Mon, Jul 28, 2008 at 04:02:07PM +0000,
    > Paul Vixie wrote
    > a message of 60 lines which said:
    >
    >> ISC began work on the -P1 patches immediately upon being made aware of
    >> the Kaminsky vulnerability. Our immediate goal was to make patches
    >> publicly available as soon as possible. During the development cycle we
    >> became aware of a potential performance issue
    >
    >A very different way of presenting the same facts:
    >
    >http://www.zdnet.com.au/news/securit...blunder/0,1300
    >61744,339290928,00.htm
    >

    Steve



  2. Re: ISC statement about BIND9's recent -P1 releases

    On Tue, 29 Jul 2008 13:21:15 -0700, Steve Lancaster
    wrote:

    >Well... while it's
    >
    ><http://www.zdnet.com.au/news/securit...blunder/0,1300
    >61744,339290928,00.htm>
    >
    >certainly "another view" on the same facts.. I find it a particularly
    >distasteful one...
    >
    Steve:

    I agree with you and others here, ISC has done a great job in short
    time.

    As one whose "other job" is as a flight RN on a helicopter (medical
    transport) lets put it this way....no one is dying cause your name
    servers are crashing...in this area you get one chance to fix a
    problem and if you guess wrong or hesitate too long someone may truly
    suffer due to is.....name server crashing is not that area for sure.

    I think everyone needs to take a nice deep breath, relax, ISC will
    come up with a fix soon, and for now if its crashing look into
    something like maybe psmon to keep an eye on it and kick it back in
    (at least in the *nix) world.

    Now if someone can tell me how to do the same restart in Windoze I'd
    be much appreciative, (Not my strong suit and I've got one box here
    with 9.5.p1 on it that dies at random.

    George
    --
    ===[George R. Kasica]=== +1 262 677 0766
    President +1 206 374 6482 FAX
    Netwrx Consulting Inc. Jackson, WI USA
    http://www.netwrx1.com
    georgek@netwrx1.com
    ICQ #12862186

  3. Re: ISC statement about BIND9's recent -P1 releases

    I am not saying burn ISC at the stake by any stretch of the imagination, but
    I think your comment about people not dying if a nameserver is down is a
    little understating things. Perhaps in your DNS environment servers
    crashing and being unable to resolve is not a big deal, but I bet a lot of
    the folks here who run DNS for large organizations would beg to differ.
    --
    -Ben Croswell

    On Thu, Jul 31, 2008 at 7:08 AM, George R. Kasica wrote:

    > On Tue, 29 Jul 2008 13:21:15 -0700, Steve Lancaster
    > wrote:
    >
    > >Well... while it's
    > >
    > ><
    > http://www.zdnet.com.au/news/securit...blunder/0,1300
    > >61744,339290928,00.htm>
    > >
    > >certainly "another view" on the same facts.. I find it a particularly
    > >distasteful one...
    > >
    > Steve:
    >
    > I agree with you and others here, ISC has done a great job in short
    > time.
    >
    > As one whose "other job" is as a flight RN on a helicopter (medical
    > transport) lets put it this way....no one is dying cause your name
    > servers are crashing...in this area you get one chance to fix a
    > problem and if you guess wrong or hesitate too long someone may truly
    > suffer due to is.....name server crashing is not that area for sure.
    >
    > I think everyone needs to take a nice deep breath, relax, ISC will
    > come up with a fix soon, and for now if its crashing look into
    > something like maybe psmon to keep an eye on it and kick it back in
    > (at least in the *nix) world.
    >
    > Now if someone can tell me how to do the same restart in Windoze I'd
    > be much appreciative, (Not my strong suit and I've got one box here
    > with 9.5.p1 on it that dies at random.
    >
    > George
    > --
    > ===[George R. Kasica]=== +1 262 677 0766
    > President +1 206 374 6482 FAX
    > Netwrx Consulting Inc. Jackson, WI USA
    > http://www.netwrx1.com
    > georgek@netwrx1.com
    > ICQ #12862186
    >
    >



  4. Re: ISC statement about BIND9's recent -P1 releases

    Ben Croswell wrote:
    > I am not saying burn ISC at the stake by any stretch of the imagination, but
    > I think your comment about people not dying if a nameserver is down is a
    > little understating things. Perhaps in your DNS environment servers
    > crashing and being unable to resolve is not a big deal, but I bet a lot of
    > the folks here who run DNS for large organizations would beg to differ.
    I think that DNS redundancy is something that people might have put on
    the back burner in the past.

    Perhaps this exercise, along with bringing up some issues with staying
    current will also get people to reconsider how important DNS is and how
    they should re-structure their network to provide redundancy.

    Perhaps.

    AlanC



  5. Re: ISC statement about BIND9's recent -P1 releases

    Thankfully I work for a company that understands how important DNS is.
    However, the buzz has been "upgrade everything immediately because the
    Internet is going to stop working". If you upgrade everything to -P1 you
    have the potential for all of your redundancy to be crashing as well.
    --
    -Ben Croswell

    On Thu, Jul 31, 2008 at 3:18 PM, Alan Clegg wrote:

    > Ben Croswell wrote:
    > > I am not saying burn ISC at the stake by any stretch of the imagination,
    > but
    > > I think your comment about people not dying if a nameserver is down is a
    > > little understating things. Perhaps in your DNS environment servers
    > > crashing and being unable to resolve is not a big deal, but I bet a lot
    > of
    > > the folks here who run DNS for large organizations would beg to differ.
    > I think that DNS redundancy is something that people might have put on
    > the back burner in the past.
    >
    > Perhaps this exercise, along with bringing up some issues with staying
    > current will also get people to reconsider how important DNS is and how
    > they should re-structure their network to provide redundancy.
    >
    > Perhaps.
    >
    > AlanC
    >
    >
    >
    >



  6. Re: ISC statement about BIND9's recent -P1 releases

    I could imagine a few places where DNS is part of life support; I
    believe that would be a bad design but it could be so a few places.

    Ben Croswell wrote:
    > I am not saying burn ISC at the stake by any stretch of the imagination, but
    > I think your comment about people not dying if a nameserver is down is a
    > little understating things. Perhaps in your DNS environment servers
    > crashing and being unable to resolve is not a big deal, but I bet a lot of
    > the folks here who run DNS for large organizations would beg to differ.
    >

    --
    Best regards

    Sten Carlsen

    No improvements come from shouting:

    "MALE BOVINE MANURE!!!"


  7. Re: ISC statement about BIND9's recent -P1 releases

    George R. Kasica wrote:
    > On Tue, 29 Jul 2008 13:21:15 -0700, Steve Lancaster
    > wrote:
    >
    >> Well... while it's
    >>
    >> <http://www.zdnet.com.au/news/securit...blunder/0,1300
    >> 61744,339290928,00.htm>
    >>
    >> certainly "another view" on the same facts.. I find it a particularly
    >> distasteful one...
    >>
    > Steve:
    >
    > I agree with you and others here, ISC has done a great job in short
    > time.
    >
    > As one whose "other job" is as a flight RN on a helicopter (medical
    > transport) lets put it this way....no one is dying cause your name
    > servers are crashing...in this area you get one chance to fix a
    > problem and if you guess wrong or hesitate too long someone may truly
    > suffer due to is.....name server crashing is not that area for sure.
    >
    > I think everyone needs to take a nice deep breath, relax, ISC will
    > come up with a fix soon, and for now if its crashing look into
    > something like maybe psmon to keep an eye on it and kick it back in
    > (at least in the *nix) world.
    >
    > Now if someone can tell me how to do the same restart in Windoze I'd
    > be much appreciative, (Not my strong suit and I've got one box here
    > with 9.5.p1 on it that dies at random.
    >

    Just go into the Services Computer Management, select ISC BIND and go
    into properties. Select the Recovery Tab and set the action you want the
    service to take when it dies.

    Danny
    > George


+ Reply to Thread
« Re: DNS MX record and Postfix Relay host of ISP | order of NS query »