Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
Damian Menscher
damian at google.com
Tue Aug 4 16:49:21 UTC 2015
On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews <marka at isc.org> wrote:
> In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA at puck.nether.net>, Jared
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you
> can h=
> > ave implementation diversity on the backside.=20
> >
> > I can send an example config out later for people. You can balance to
> bind N=
> > SD and others all at the same time :-) just move your SPoF
>
> Unless the same client hits the same server all the time this is a
> bad idea.
>
But tying a set of clients to the same backend puts them all in the same
failure domain....
Resolvers actually track capabilities of servers as it is the only
> way to get answers due to firewalls dropping legitimate packet and
> protocol misimplementations. Add to that different vendors /
> versions supporting different extensions randomly flipping between
> vendors / versions is frought with danger unless you take extreme
> care.
Out of curiosity, do any resolvers other than BIND do this? I ask because
BIND has a reputation for having "too many" features, and I wonder if this
is one of them.
Damian
> > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra at baylink.com> wrote:
> > >
> > > Everyone got BIND updated?
> > >
> > >
> >
> http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> > ould-hamstring-huge-swaths-of-internet/
> > > --
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
More information about the NANOG
mailing list