The good news is that it only took me about 15 minutes to find and reproduce the bug that was causing the improper resource record rotation. The bad news is that the bug that causes the rotation is one that enables a remote denial of service. Hence, I updated all three supported versions of MaraDNS (1.0, 1.2, and 1.3) last night to fix this bug.
Basically, someone can send a specially crafted DNS packet to the DNS server that will make an authoritative CNAME record not resolve. The workaround to disable this denial of service is to add the following line to the mararc file:
max_ar_chain = 2
The fix is to download MaraDNS 1.0.41/1.2.12.08/1.3.07.04 from the MaraDNS download page or to download MaraDNS 1.2.12.08 from the Sourceforge MaraDNS page
All distributions are strongly encouraged to update to 1.2.12.08, or to 1.0.41 if still using the 1.0 branch of MaraDNS. Please remember, 1.0 users, that non-security bugfixes in MaraDNS 1.0 will no longer be applied after December 21 of this year.
I would like to thank Michael Krieger, whose bug report helped me find and fix this problem.
skip to main |
skip to sidebar
Blog moved
This blog is no longer active. My current blog can be found at samiam.org/blog
Search This Blog
Blog Archive
-
▼
2007
(161)
-
▼
August
(14)
- MaraDNS snap; POSIX thoughts
- There's more to DNS than BIND and DjbDNS
- MaraDNS update: All versions
- MaraDNS snapshot update
- Linux fanboys are annoying
- MaraDNS snapshot update
- MaraDNS snapshot update
- MaraDNS releases: 1.2.12.07 and 1.3.07.03
- MaraDNS snapshot update
- New MaraDNS snapshot
- Linux annonyance: /dev/hda now has large file prob...
- MaraDNS snapshot update
- MaraDNS snapshot updated
- Linux distribution choosing made easy
-
▼
August
(14)
