With the release of the libbind buffer overflow a number of people have suggested loading a copy of BIND locally and pointing your local resolver at just that name server, providing a sanity check of all incoming DNS traffic. For the most part this will work, however, for it to work effectively you must be using BIND 9.x because BIND 8.x does not reconstruct all responses before forwarding them on. For more information on the libbind buffer overflow bug please see: http://www.cert.org/advisories/CA-2002-19.html However, your situation may preclude you from running BIND 9 either locally or at the site level. One such situation would be that you are already running BIND 8 and you have zones loaded that will not load in to BIND 9 because they have multiple resource records assigned to one singleton data type. For example, an A record pointing to a list of CNAMES: fuzzy IN CNAME www.snuggie.com. IN CNAME www.r-9.net. Normally BIND 9 would reject this as part of a zone. To overcome this particular problem I have produced the attached patch(1) to BIND 9.2.1 which, when applied, will again allow you to use multiple CNAMEs etc. on one RR. This patch is the equivalent of the 'multiple-cnames yes;' option in bind 8.x. WARNING!! Although I am running this patch in a production environment I cannot guarantee that this patch will work for you. Please be sure to double check the functionality of this patch before employing it in any environment!! -- Tim Gladding
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 12:18:53 PDT