Your message dated Wed, 30 Jan 2013 21:48:00 +0000
with message-id <[email protected]>
and subject line Bug#698641: fixed in bind9 1:9.8.4.dfsg.P1-5
has caused the Debian Bug report #698641,
regarding Please apply the rate limiting patches
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
698641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698641
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9
Severity: important
With the grown deployment of DNSSEC and more information being put into
the domain name system, DNS servers have become and are becoming a
useful tool for denial of service attacks by providing amplification:
a single UDP packet of only a few bytes causes a response many times the
size of the query.
An adversary can use this effect to either cause a huge amount of
traffic to flow towards their target site (by faking the source address
of requests), or to cause a nameserver to effectively DoS itself by
filling up its outbound pipe with only a couple thousand requests per
second, costing very little in bandwidth for the adversary.
Vernon Schryver, Paul Vixie, et al have been working on bringing
(response) rate limiting to nameservers. Such a feature enables the
admin of an authoritative nameserver to limit responses in the face of
their server being abused.
The particular patchset for bind, linked from [1], is able to enforce
limits per requested name/type/source address tuple, and can fallback to
sending clients a tiny retry-using-TCP packet. The intent is to make
the server useless as an amplifier while not breaking resolving for
anyone.
Debian admin has deployed the patch at [2] to the bind running the
debian.org nameservers - else debian.org's nameservers would not have
any resources left to answer legitimate queries.
We think it important that the bind version Debian ships be actually
useable by the internet community in general, and ourselves in
particular. Therefore we ask you (and the release folks) to consider
shipping wheezy's bind with the rate limiting patches applied.
Thanks for your consideration,
weasel
1. http://www.redbarn.org/dns/ratelimits
2. http://ss.vix.su/~vjs/rpz2+rl-9.8.4-P1.patch
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.8.4.dfsg.P1-5
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <[email protected]> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 30 Jan 2013 14:04:35 -0700
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-80
libdns88 libisc84 liblwres80 libisccc80 libisccfg82 dnsutils lwresd
Architecture: all amd64 i386 source
Version: 1:9.8.4.dfsg.P1-5
Distribution: unstable
Urgency: low
Maintainer: LaMont Jones <[email protected]>
Changed-By: LaMont Jones <[email protected]>
Closes: 698641
Description:
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9 - Internet Domain Name Server
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind9-80 - BIND9 Shared Library used by BIND
libbind-dev - Static Libraries and Headers used by BIND
libdns88 - DNS Shared Library used by BIND
libisc84 - ISC Shared Library used by BIND
libisccc80 - Command Channel Library used by BIND
libisccfg82 - Config File Handling Library used by BIND
liblwres80 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Changes:
bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low
.
[LaMont Jones]
.
* Properly acknowledge 1:9.8.1.dfsg.P1-4.4: [Philipp Kern]
- Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing the patch.
.
[Paul Vixie]
.
* Include rpz/rrl patches from http://www.redbarn.org/dns/ratelimits.
Closes: #698641
Checksums-Sha1:
a6bd60dfe10716ce3a4cf0b27b71d65dcfe89f24 369710 bind9_9.8.4.dfsg.P1-5_amd64.deb
efcff38cf4bc402299446e710e379c9e3a0d624a 124288
bind9utils_9.8.4.dfsg.P1-5_amd64.deb
dfe5294037fcaead19570ed4a6ba5417b24ef0f2 73034
bind9-host_9.8.4.dfsg.P1-5_amd64.deb
e01d5859c641e9d1c87ce78f3064ab0c32835dc0 1578498
libbind-dev_9.8.4.dfsg.P1-5_amd64.deb
f43a523d5112ce6a26bf3b412e1c346efe369c6b 41868
libbind9-80_9.8.4.dfsg.P1-5_amd64.deb
58a2f2125f0ddeb98e3ad6123c9c657670f3eb77 750030
libdns88_9.8.4.dfsg.P1-5_amd64.deb
d3925d0b1b22c8467469753d84b8df1558f2b295 182070
libisc84_9.8.4.dfsg.P1-5_amd64.deb
426b96bcf296b80e9d189077600c146131a88920 54768
liblwres80_9.8.4.dfsg.P1-5_amd64.deb
7c26e872edccc0c28f08bd4ab8c92bf477386945 35482
libisccc80_9.8.4.dfsg.P1-5_amd64.deb
182f46f69d4948dc5c06a6d9ff62a55fec39689d 62338
libisccfg82_9.8.4.dfsg.P1-5_amd64.deb
6a1974b537e553402051b845d1ecf80ff225a641 166132
dnsutils_9.8.4.dfsg.P1-5_amd64.deb
1fbab829b522231f15f56fcb6fefbfe14ba96389 252008
lwresd_9.8.4.dfsg.P1-5_amd64.deb
c1d38d5b871f06128452d93f00093f57c9a321fb 363644
bind9-doc_9.8.4.dfsg.P1-5_all.deb
8fc9a00caa51763ee06d5258b20b3da4db51c007 20174 host_9.8.4.dfsg.P1-5_all.deb
cdfbe298ec68551b12526228026514b2adfc1aa1 364380 bind9_9.8.4.dfsg.P1-5_i386.deb
ab4c9af63026fa2c83826ae241aae62105b48660 120854
bind9utils_9.8.4.dfsg.P1-5_i386.deb
4ca51b1b7c77c98563ffc7c36f8c04e8be22de08 71620
bind9-host_9.8.4.dfsg.P1-5_i386.deb
79f00aae1ab04ad52f71b894f7cc4861963e2b7f 1568268
libbind-dev_9.8.4.dfsg.P1-5_i386.deb
b1dda15ecd76fd18be34cb4e1be2d8e7b32778d5 42154
libbind9-80_9.8.4.dfsg.P1-5_i386.deb
d451c971b8f56f097ef4ab5db1c5632df800faf5 749556
libdns88_9.8.4.dfsg.P1-5_i386.deb
b5a5a575abfab91de18681c858bac7e052d2b813 181534
libisc84_9.8.4.dfsg.P1-5_i386.deb
7f02f2d50a792870b2d2228672f76719fc6ac2eb 55016
liblwres80_9.8.4.dfsg.P1-5_i386.deb
181168d440bec870cd18d9c2308d716ca34eb6ba 35784
libisccc80_9.8.4.dfsg.P1-5_i386.deb
901aeb24b8deb46a3ae59f2fe49c36a77c825093 59480
libisccfg82_9.8.4.dfsg.P1-5_i386.deb
56958aae682f5d578c6c6ef47796a58376125944 162398
dnsutils_9.8.4.dfsg.P1-5_i386.deb
1c7cfec08f266f0f7d653680319769e93183ed82 250252 lwresd_9.8.4.dfsg.P1-5_i386.deb
01c0e61a097e49228212b06db73fb1943e8e8b99 1942 bind9_9.8.4.dfsg.P1-5.dsc
3ab83667ab3ce2df6bdf558cc1e5a361fe5b539b 7258441
bind9_9.8.4.dfsg.P1.orig.tar.gz
387af642bc9cfcc4078a03c0060de3a84b00cff9 661228 bind9_9.8.4.dfsg.P1-5.diff.gz
Checksums-Sha256:
891f09c55592f7d2e91d71fdc23a7e5632e350e909193b201d9b188eb8367b8a 369710
bind9_9.8.4.dfsg.P1-5_amd64.deb
f82fff911ec9d21476ec2750e8ea2144e63da3c7b55fedeb995fc1ba9f6a79c4 124288
bind9utils_9.8.4.dfsg.P1-5_amd64.deb
17aa2b7eae23484799542cf5996b7330216ba654df00c9d5597b4524d9bca2df 73034
bind9-host_9.8.4.dfsg.P1-5_amd64.deb
a4b2e8dbd6c4bd40ca353d2a058a7aa7fb8b1a62183cead59c128c01271935d6 1578498
libbind-dev_9.8.4.dfsg.P1-5_amd64.deb
f234248768c912b48db3bb2190d5f5d9397b3a3c4093f908182782d2f1627d12 41868
libbind9-80_9.8.4.dfsg.P1-5_amd64.deb
13e532a1bf4669d4d7d48514097165905f1694778a37bd1d2a254ea62830a325 750030
libdns88_9.8.4.dfsg.P1-5_amd64.deb
65445a7728bd6408c0076ea5d6e76ada10e80898cbc77c9347fa3b14deb194b7 182070
libisc84_9.8.4.dfsg.P1-5_amd64.deb
85d19def102fbbe8cf116fa8fe6dfb8a31acbe382418e78e3c4d5db41b1e4bcb 54768
liblwres80_9.8.4.dfsg.P1-5_amd64.deb
3e30f2ded964889abbf057096099ea074178d88e7048a9848e461da0c9aadb86 35482
libisccc80_9.8.4.dfsg.P1-5_amd64.deb
9250793f181b4f7013cf361d7aa94a9c1709febfee9eb47f4939e8dc801228c7 62338
libisccfg82_9.8.4.dfsg.P1-5_amd64.deb
69b5991232648683ab16488ee227d6c91ca2f96c58eff4d10f74e3c4e4886aba 166132
dnsutils_9.8.4.dfsg.P1-5_amd64.deb
5905c67b1fb7b265ac1a463514dd304e9f9cf90eb5c4ad1bd270567082cc6d6d 252008
lwresd_9.8.4.dfsg.P1-5_amd64.deb
19dc7434894cd8a15121f46aa4f75263789f031de4d98ace3f473e755c278e0e 363644
bind9-doc_9.8.4.dfsg.P1-5_all.deb
3badccacf95fb2486e7eb6417a879c614a93f76c91c0cf3df50e589ed7f0218d 20174
host_9.8.4.dfsg.P1-5_all.deb
80767924863cc3f177c56255dcffaf0ae6b66e2039c3f453a767e297b290f7fd 364380
bind9_9.8.4.dfsg.P1-5_i386.deb
5a20dbd6e9480452068fe99a4fe484d83fada34639e549f58bd49308a9ce3776 120854
bind9utils_9.8.4.dfsg.P1-5_i386.deb
9b541199c1c333a0d76fdb3f5161b4f40c249107982b2e95cc3797367b2c2225 71620
bind9-host_9.8.4.dfsg.P1-5_i386.deb
a87256c96c0c6e87205ea3982321d88ad3e6973602a9752e5f046c1337f070e9 1568268
libbind-dev_9.8.4.dfsg.P1-5_i386.deb
61f29aaafb165b9969d1500302633008ed32f75183f40a7ccc875d4e3578153c 42154
libbind9-80_9.8.4.dfsg.P1-5_i386.deb
c826806d842549e491b6a535aa9bbb372cbd188ecfa9d9dfe1f4e1ed1bf5fbaa 749556
libdns88_9.8.4.dfsg.P1-5_i386.deb
585d9cd2afe4d561ae83040c2d60a46228e89e69c10dfe0c0664370c807e7279 181534
libisc84_9.8.4.dfsg.P1-5_i386.deb
df40dca177b97496c54c1d91c7abef132edc2c116cc6bdf257d6aa58abe634fd 55016
liblwres80_9.8.4.dfsg.P1-5_i386.deb
3a53b982a8a10265dc6608354f117b63f8611c7c6ac604a72cbbec8092740449 35784
libisccc80_9.8.4.dfsg.P1-5_i386.deb
d18f800c3eea1a6fb632c141d72d641fdc72c219503d2624788354ea7d1f4cee 59480
libisccfg82_9.8.4.dfsg.P1-5_i386.deb
5d7498c63d73467289b48e6c666770aeea71a9467652f5326c49e4f7d3461856 162398
dnsutils_9.8.4.dfsg.P1-5_i386.deb
da091a21e3e07ef67a7480745c8a673336aa8fc1946fa33f8102188aae798e60 250252
lwresd_9.8.4.dfsg.P1-5_i386.deb
dc4d3176bf3eb2d1d027927beb4776a7270901bb4026b913686cb5b2cce0a361 1942
bind9_9.8.4.dfsg.P1-5.dsc
de7b8ef3f5336ba2c19e7ad8cec618e1bf77fbd81cc2e45cc7f798544e843bdb 7258441
bind9_9.8.4.dfsg.P1.orig.tar.gz
c8948cb776eb565855afcabbc1d90248e2b93473f8b3b9e3ac0be9f947d113c0 661228
bind9_9.8.4.dfsg.P1-5.diff.gz
Files:
22db53d20b2d36a452d602768a4dba18 369710 net optional
bind9_9.8.4.dfsg.P1-5_amd64.deb
94a97350a293339218acde4a60288675 124288 net optional
bind9utils_9.8.4.dfsg.P1-5_amd64.deb
aeeb1b941cd761dd8b103f0031831fa6 73034 net standard
bind9-host_9.8.4.dfsg.P1-5_amd64.deb
4a265eaf76a038a85667e1740692443c 1578498 libdevel optional
libbind-dev_9.8.4.dfsg.P1-5_amd64.deb
fd8adfc4a066aac7be7c196985f52909 41868 libs standard
libbind9-80_9.8.4.dfsg.P1-5_amd64.deb
4adccaf267b2a4de91ccc19b482cb23c 750030 libs standard
libdns88_9.8.4.dfsg.P1-5_amd64.deb
2dc14093536981d066c4e750e8766a19 182070 libs standard
libisc84_9.8.4.dfsg.P1-5_amd64.deb
ba7e3a6c29b35ce7dcf3e437f1d7ec9e 54768 libs standard
liblwres80_9.8.4.dfsg.P1-5_amd64.deb
9baa4aedf4161a51801f3acbd90d283b 35482 libs optional
libisccc80_9.8.4.dfsg.P1-5_amd64.deb
2b63e8d2af7efface75ab415ae6d9a81 62338 libs optional
libisccfg82_9.8.4.dfsg.P1-5_amd64.deb
86c5ab1e74ee71298425e6a91db18b01 166132 net standard
dnsutils_9.8.4.dfsg.P1-5_amd64.deb
cda64b38a2725b00f8b4277f58570717 252008 net optional
lwresd_9.8.4.dfsg.P1-5_amd64.deb
c4f453a312aaca651ab688bf44d0c813 363644 doc optional
bind9-doc_9.8.4.dfsg.P1-5_all.deb
63e303ed958f51aa9035afc1ef630d9e 20174 net standard
host_9.8.4.dfsg.P1-5_all.deb
edef606fc3ffba307ef00d63bbfe387c 364380 net optional
bind9_9.8.4.dfsg.P1-5_i386.deb
29ce8f8376e8e9fb30ca429d11afc039 120854 net optional
bind9utils_9.8.4.dfsg.P1-5_i386.deb
ce141c3cbde8ccda2013b9542aac6168 71620 net standard
bind9-host_9.8.4.dfsg.P1-5_i386.deb
19bd92fe3230752481d8f0cc1f57877f 1568268 libdevel optional
libbind-dev_9.8.4.dfsg.P1-5_i386.deb
72f9eda72cee12ed37df597afb76fe10 42154 libs standard
libbind9-80_9.8.4.dfsg.P1-5_i386.deb
2d01d9c6aa87e655712b3eb668c07dff 749556 libs standard
libdns88_9.8.4.dfsg.P1-5_i386.deb
7be57f3ff65534d0a0958e89e035879b 181534 libs standard
libisc84_9.8.4.dfsg.P1-5_i386.deb
e5d253dee9f328ecf5d3955dd750d973 55016 libs standard
liblwres80_9.8.4.dfsg.P1-5_i386.deb
4c0fce260fc2cb5ca6ffcb323a25db7d 35784 libs optional
libisccc80_9.8.4.dfsg.P1-5_i386.deb
7fda2da919de05280017fdbd9b7c143d 59480 libs optional
libisccfg82_9.8.4.dfsg.P1-5_i386.deb
03e220847a88b1b6d42f0e88d364eacb 162398 net standard
dnsutils_9.8.4.dfsg.P1-5_i386.deb
d23bc5e1a3568044d2c6412ed58c9777 250252 net optional
lwresd_9.8.4.dfsg.P1-5_i386.deb
447772f244b521b55866d3a9f86a8607 1942 net optional bind9_9.8.4.dfsg.P1-5.dsc
96f5c03a8b42d29519c8860bea5a8353 7258441 net optional
bind9_9.8.4.dfsg.P1.orig.tar.gz
32637cd3761da822f610d11e7db8fa2c 661228 net optional
bind9_9.8.4.dfsg.P1-5.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFRCZGyzN/kmwoKyScRAkg4AKCOeExcaRKMttnXyR6nHO1V9pDzBwCeONC9
jHWIWjWu7VaAMMv7iAOusiE=
=GPVL
-----END PGP SIGNATURE-----
--- End Message ---
