DNS patches cause problems, developers admit

Patches released earlier this month to quash a critical bug in the Domain Name System (DNS) have slowed servers running BIND, the Internet's most popular DNS software, and crippled some systems versions of Windows Server.

Paul Vixie, who heads the Internet Systems Consortium (ISC), the group responsible for the BIND (Berkeley Internet Name Domain) software, acknowledged that there were problems with the July 8 fix that was rolled out as part of a multivendor update meant to patch a cache poisoning flaw discovered months before by researcher Dan Kaminsky.

"During the development cycle, we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second," said Vixie in a message posted Monday afternoon to a BIND mailing list. "Given the limited time frame and associated risks, we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns.