listserv.traffic at sloop.net wrote: >> Check out the following bug report. I would also look at other bind bug >> reports. My sense is that redhat has deviated quite a bite from the ISC >> version of bind. In particular I believe that they disabled or otherwise >> modified the caching behavior back about 6-8 months ago when there were >> major security issues with bind. I have felt that my Red Hat/Centos name >> servers have not worked as well as Fedora or ISC bind name servers since >> this time. You might try installing ISC bind and see if that solves your >> problem. >> > > >> https://bugzilla.redhat.com/show_bug.cgi?id=553334 >> > > >> Nataraj >> > > Interesting - though in our case it's failing long before a few > million lookups. I don't much relish compiling ISC versions to run on > my box - the security implications and other hassles don't seem > trivial. [We don't allow external [the world] lookups - just local > "trusted" users, but that only mitigates some of the security concerns.] > > Perhaps it's possible to use an older version that's security > patched. Ugh. > Though I have not done it in a while, It's not a big deal to build ISC bind. If you have compilers installed, you untar it and run "make" or "make install", maybe setting up the path for installation. With the security issues today, I often run a separate system for name servers (actually I use virtual machines). In fact, mostly I setup both an internal and a external nameserver where the internal one forwards queries to the external one so it never receives packets from the Internet. So the internal one could be on your mail server and the external one could be a seperate box. For test purposes, you could try ISC bind on any old box just to determine if it solves the problem. Alternatively, if the problem is urgent I guess you could buy a red hat license and try to get them to up the priority on resolving this. If you have the time and skills, you could install a debug compiled version of CentOS bind and try to either debug it or capture a dump of it when it breaks and submit that to developers. I don't think running ISC bind for a short time is a major risk. It's quite widely deployed in the field. Nataraj > -Greg > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >