Hi all,
Are you using bind as a local caching resolver on your exits?
The DNS resolver on our exit crashed over the weekend due to this bug: https://kb.isc.org/article/AA-01466
It hasn't been patched yet in Debian: https://security-tracker.debian.org/tracker/CVE-2017-3137
So I have added a file: /etc/systemd/system/bind9.service.d/restart-on-abort.conf
With the text: [Service] Restart=on-abort
This should work for any systemd/bind9 Linux system.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
That bug has been "fixed" in RHEL6/CentOS6 since the update on 20 Apr 2017 but the crashes still occur. As far as I can tell, all the "fix" did was move the assertion failure from resolver.c to validator.c.
On 04/26/2017 02:19 AM, teor wrote:
Hi all,
Are you using bind as a local caching resolver on your exits?
The DNS resolver on our exit crashed over the weekend due to this bug: https://kb.isc.org/article/AA-01466
It hasn't been patched yet in Debian: https://security-tracker.debian.org/tracker/CVE-2017-3137
So I have added a file: /etc/systemd/system/bind9.service.d/restart-on-abort.conf
With the text: [Service] Restart=on-abort
This should work for any systemd/bind9 Linux system.
T
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Steve Snyder -
teor