[dns-operations] CVE 2015-8000 actively exploited yesterday

Evan Hunt each at isc.org
Thu Dec 17 00:08:40 UTC 2015


On Thu, Dec 17, 2015 at 10:50:10AM +1100, Nick Urbanik wrote:
> BIND really needs to have a better strategy to dealing with unexpected
> input other than by dying.  Perhaps the assumption is that everyone is
> using some kind of script that checks it's running, and if not,
> restarts it.  If that is the case, that should be explicitly stated,
> and made policy for packagers, such as Red Hat.

Such a script is included in the BIND source tree, contrib/scripts/nanny.pl,
and is highly recommended.  There are other methods too; I've heard of it
being run under Foreman or xinetd, for example.

We've considered adding this capability to named itself (e.g. a "hot swap"
process that can take over immediately if the main server crashes) but
haven't gotten to it yet.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the dns-operations mailing list