netbsd-users: Re: BIND core dumps on large DNS tables - was Re: BIND and big giant RBL PLUS!!!! table wahoo!

Subject: Re: BIND core dumps on large DNS tables - was Re: BIND and big giant RBL PLUS!!!! table wahoo!
To: None <netbsd-users@netbsd.org>
From: Chuck Yerkes <chuck+nbsd@2003.snew.com>
List: netbsd-users
Date: 06/10/2003 21:26:00

Quoting John Maier (jmaier@midamerica.net):
> Ok I'll ask the obvious, perhaps stupid question, if it's so good, why isn't
> NetBSD replacing the 8 with 9?

Because you (and I) haven't done the work to get it in :)


OpenBSD moved from BIND 4 (modified) to BIND 9 from January to
March (when it got stable on my SPARC).

They did lots of work to make it chroot by default and to
deal with problems with, er, buffer overruns that the propolice
and other work was preventing BIND from running (amok) freely.

Lots of things were fixed.
I know they put changes back to ISC and would expect them in 9.2.3
if at all.  It may be worth looking at that chunk of the tree
(usr.sbin/named, AFAIK).

Their removal of unbounded strings routines (sprintf et al) from
the kernel and userland also cleans out BIND 9 a bunch.

Per the ISC:
BIND 8 is in "maintainance only" where BIND 9 is heavily favored.


> > > Which brings me to another point, BIND is not able to contend with lists
> > > list large!

Size?  AOL and the COM servers run BIND.  I *think* there are
more COM domains than there are rbl domains.  It may be
a matter of tuning your kernel/server or perhaps drop it
into a nice openldap server and use LDAP to look it up.


BIND 9 gotcha's (just helped a friend with this 30 minutes ago):
BIND 8 *warns* about no $TTL at the top of the file.
BIND 9 *bails* on it.

RunAs named is good.
Chroot to /var/named is good.
Both is best :)

...
> ----- Original Message -----
> From: "Sean J. Schluntz" <schluntz@workofstone.com>
...
> > > Which brings me to another point, BIND is not able to contend with lists
> > > list large!
> > >
> > > With databases this large, BIND cores after a period of time.
> > > It's gotten so bad, that I've had to initiate a cron that checks every
> min
> > > to see if named is running, if not start it.
> > >
> > > This is on two different servers, with latest named 8.3.4-REL
> > >
> > > I am beginning to look at alternative DNS programs, the problem is so
> bad!
> > >
> > > I would rather not have to go to this extreme but...
> >
> > Why don't you use BIND-9.2?  It's a rewrite and runs great.  With a couple
> > of modifications I'm using the BIND8 rc script to startup BIND9 with the
> > chrooted environment.
> >
> > I use to have problems with BIND8 disappearing on me, hasn't happened
> > since I went 9.