From maradns at gmail.com Thu Dec 20 18:05:10 2012 From: maradns at gmail.com (Sam Trenholme) Date: Thu, 20 Dec 2012 17:05:10 -0600 Subject: [MaraDNS list] Deadwood 3.2.03 released Message-ID: Deadwood has been updated. This is a bugfix-only release relative to Deadwood 3.2.02. The main change that will affect end-users is that Deadwood no longer uses the cache file if it's older than the dwood3rc file. It can be downloaded here: http://www.maradns.org/deadwood/stable/ Here is a full changelog: - Added a whole bunch of security validation to DwCompress.c (always make sure offsets are within bounds) - Deadwood now compiles with IPv6 support again - We now handle EasyDNS' bad truncation in a reasonable manner - Added new SQA test for es-us.noticias.yahoo.com issue in May/June 2012 - Replaced "malloc" with "dw_malloc" wrapper (make it a little easier for embedded devs) - Updated INSTALL.txt (Windows 7; Deadwood's malloc use) - There is now a compile-time flag (-DSHOWPACKET) to see every single packet Deadwood receives (for debugging) - If /etc/deadwood is missing, we now tell them what the missing directory is - Made the underlying RNG a little faster and about 50 bytes smaller (I like keeping the Windows binary under 65,536 bytes in size) - Documented the difference between a string, numeric, and dictionary parameter - If the Deadwood cache file is older than the dwood3rc file, do not load the cache - SQA update: Netstat changed, breaking one of the SQA tests. These SQA tests have been updated to pass again (and should work when run against an older netstat) - SQA update: Sometimes the ttl ages one second, which made one of the tests sometimes fail. Since it took a while to update things to get all of the SQA tests to pass, I am going to implement a policy to, every fourth month, not fix bugs or update documentation in Deadwood, but make sure that none of CentOS/RedHat 6's security updates have broken any of Deadwood's SQA tests. It would be nice if a routine security update did not say, as happened this time, change netstat's output, but it's very hard to force core system tools or kernel not to change their behavior at all when the code is entirely open-source. Sometimes, you do get what you paid nothing for. Speaking of open-source economics, I will not work on MaraDNS/Deadwood again until one day next month, after the 20th, unless a critical security bug with a CVE number is found. This will also be my last posting to this list this month barring a new MaraDNS/Deadwood CVE report. From test24 at mail.ru Sat Dec 29 00:25:17 2012 From: test24 at mail.ru (=?UTF-8?B?dGVzdDI0?=) Date: Sat, 29 Dec 2012 09:25:17 +0400 Subject: [MaraDNS list] =?utf-8?q?Deadwood_3=2E2=2E03_released?= Message-ID: <1356758717.553958025@f52.mail.ru> ...... >Speaking of open-source economics, I will not work on MaraDNS/Deadwood >again until one day next month, after the 20th, unless a critical >security bug with a CVE number is found. This will also be my last >posting to this list this month barring a new MaraDNS/Deadwood CVE >report. On 2 Deadwoods under high DDoS traffic from users infected PCs (we do not have rights to do antivirus work instead the users (only recommendations)) the good idea to do Deadwood and Mara more stable and extinguish or interrupt the DDoS - make the ratilimits as in BIND vjs versions BIND 9.8.3-vjs197.16-P4 >> the RRL config settings, etc: >> >>???????? rate-limit { >>???????????????? responses-per-second 5; >>???????????????? errors-per-second 5; >>???????????????? window 15; >>???????????????? slip 5; >>???????? }; ... From remco at webconquest.com Sat Dec 29 04:44:14 2012 From: remco at webconquest.com (Remco Rijnders) Date: Sat, 29 Dec 2012 10:44:14 +0100 Subject: [MaraDNS list] Deadwood 3.2.03 released In-Reply-To: <1356758717.553958025@f52.mail.ru> References: <1356758717.553958025@f52.mail.ru> Message-ID: <%!./ND@r78.nl> On Sat, Dec 29, 2012 at 09:25:17AM +0400, test24 wrote in <1356758717.553958025 at f52.mail.ru>: > >On 2 Deadwoods under high DDoS traffic from users infected PCs (we do not have rights to do antivirus work instead the users (only recommendations)) >the good idea to do Deadwood and Mara more stable and extinguish or interrupt the DDoS - make the ratilimits as in BIND vjs versions >BIND 9.8.3-vjs197.16-P4 >>> the RRL config settings, etc: >>> >>>???????? rate-limit { >>>???????????????? responses-per-second 5; >>>???????????????? errors-per-second 5; >>>???????????????? window 15; >>>???????????????? slip 5; >>>???????? }; >... Hi test24, I realise that English is not your native language, but I'm unclear of the message you're trying to convene. Can you please rephrase your question and/or suggestion and send it again? Thanks, Remmy