[dns-operations] CVE 2015-8000 actively exploited yesterday
each at isc.org
Thu Dec 17 00:08:40 UTC 2015
On Thu, Dec 17, 2015 at 10:50:10AM +1100, Nick Urbanik wrote:
> BIND really needs to have a better strategy to dealing with unexpected
> input other than by dying. Perhaps the assumption is that everyone is
> using some kind of script that checks it's running, and if not,
> restarts it. If that is the case, that should be explicitly stated,
> and made policy for packagers, such as Red Hat.
Such a script is included in the BIND source tree, contrib/scripts/nanny.pl,
and is highly recommended. There are other methods too; I've heard of it
being run under Foreman or xinetd, for example.
We've considered adding this capability to named itself (e.g. a "hot swap"
process that can take over immediately if the main server crashes) but
haven't gotten to it yet.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the dns-operations