On 11/16/11 5:14 AM, "Phil Mayers" <p.may...@imperial.ac.uk> wrote:
> On 16/11/11 13:07, Warren Kumari wrote:
>> It was (very convincingly!) explained to me that INSISTS() are only
>> used for the "this should not happen" cases, and if the INSISTS()
>> were not there, many of the recent attacks may have led to much worse
>> things like buffer overflows / more worrying security issues (and
>> that the push for INSIST() was directly from this sort of thing in
>> 8.x).
Having spent much time with 8.x, makes sense to me.
> I tend to agree with this kind of reasoning.
>
> It might be good if bind were able to re-start itself, rather than dying
> outright (e.g. re-exec the process) but that is dangerous too; it's
> better done by an unrelated supervising process.
Init, daemontools, etc... Easy enough, but identifying and fixing the issue
is of course the real goal. Long-term mitigation is annoying. ;-)
I'm glad to hear it sounds like BIND 10 DTRT (real solution via R&D), this
is first big item to make me track it seriously.
Needless to say, I'm adding new log monitoring to my 9.8.1 boxes!
--
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
