How to properly update BIND

[Mattie]

Hi,

BIND released an update to fix a serious exploit:

https://kb.isc.org/article/AA-00871

I'm currently using BIND version 9.7.3 so: how can I update without interfering with DirectAdmin.

I tried using apt-get upgrade however the version still is 9.7.3 I could download BIND and compile it from source but how will Directadmin be affected?

My OS is Debian 6

Thanks in advance,

Matthijs

 

[Richard G]

If you can't wait until the package is released via the update manager you can also compile manually. Indeed without DA being affected.
Have a look at this nice howto from Arieh:
http://forum.directadmin.com/showthread.php?t=43784&p=222852#post222852

Some paths might be other in Debian, this howto is written for Centos, but I think you can correct the paths in the howto yourself.

 

[Arieh]

The hotwo contains both debian and centos

Like it says there it's very easy to compile the latest version and it won't mess anything up.

 

[Richard G]

That's even better.

 

[Mattie]

Thanks for the reply, I've updated bind however i'm not sure if it's 100% correct:

In the tutorial it sais : "/.../../bind/named/..." where i only have "/.../../named/.."

I checked the version as stated in the tutorial:

root@vps:~# dig @ns1.mattie-systems.nl version.bind txt chaos

; <<>> DiG 9.9.2-P2 <<>> @ns1.mattie-systems.nl version.bind txt chaos
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29192
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT "9.7.3"

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 0 msec
;; SERVER: 87.119.221.117#53(87.119.221.117)
;; WHEN: Fri Mar 29 12:03:13 2013
;; MSG SIZE rcvd: 73

The first line is 9.9.2 however the "version.bind" is 9.7.3

When i run "named -v" it is 9.9.2

so: what version am i running now ?

thanks

 

[Arieh]

You're running 9.7.3, dig is part of bind and you are using the latest bind for dig, but the service isn't.

It is possible that the old version is still running and isn't being stopped by the startup script;

You could try killing it manually first: killall -9 named

Then start it again normally.

 

[Arieh]

Also if your startup script would differ from the DA one, you could use a modified version of your own script

http://www.diffchecker.com/pp95q2zv

here you see the changes, basically its only adding local to those paths.

 

[Mattie]

Mar 29 16:17:17 vps named[24516]: starting BIND 9.9.2-P2 -u bind
Mar 29 16:17:17 vps named[24516]: built with defaults
Mar 29 16:17:17 vps named[24516]: ----------------------------------------------------
Mar 29 16:17:17 vps named[24516]: BIND 9 is maintained by Internet Systems Consortium,
Mar 29 16:17:17 vps named[24516]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 29 16:17:17 vps named[24516]: corporation. Support and training for BIND 9 are
Mar 29 16:17:17 vps named[24516]: available at https://www.isc.org/support
Mar 29 16:17:17 vps named[24516]: ----------------------------------------------------
Mar 29 16:17:17 vps named[24516]: using 1 UDP listener per interface
Mar 29 16:17:17 vps named[24516]: using up to 4096 sockets
Mar 29 16:17:17 vps named[24516]: loading configuration from '/etc/named.conf'
Mar 29 16:17:17 vps named[24516]: open: /etc/named.conf: file not found
Mar 29 16:17:17 vps named[24516]: loading configuration: file not found
Mar 29 16:17:17 vps named[24516]: exiting (due to fatal error)

Any idea where i can set that? The file is located in /etc/bind/named.conf

I can't find any "config" option in /etc/init.d/named

 

[Arieh]

It's probably the default somewhere.

Normally there is a symlink, you can just recreate it:

ln -s /etc/bind/named.conf /etc/named.conf

 

[Mattie]

Tanks, however in that case i need to add a symlink voor every file....

Mar 29 16:26:19 vps named[25046]: ----------------------------------------------------
Mar 29 16:26:19 vps named[25046]: BIND 9 is maintained by Internet Systems Consortium,
Mar 29 16:26:19 vps named[25046]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 29 16:26:19 vps named[25046]: corporation. Support and training for BIND 9 are
Mar 29 16:26:19 vps named[25046]: available at https://www.isc.org/support
Mar 29 16:26:19 vps named[25046]: ----------------------------------------------------
Mar 29 16:26:19 vps named[25046]: using 1 UDP listener per interface
Mar 29 16:26:19 vps named[25046]: using up to 4096 sockets
Mar 29 16:26:19 vps named[25046]: loading configuration from '/etc/named.conf'
Mar 29 16:26:19 vps named[25046]: reading built-in trusted keys from file '/etc/bind.keys'
Mar 29 16:26:19 vps named[25046]: using default UDP/IPv4 port range: [1024, 65535]
Mar 29 16:26:19 vps named[25046]: using default UDP/IPv6 port range: [1024, 65535]
[....]
Mar 29 16:26:19 vps named[25046]: generating session key for dynamic DNS
Mar 29 16:26:19 vps named[25046]: sizing zone task pool based on 32 zones
Mar 29 16:26:19 vps named[25046]: set up managed keys zone for view _default, file 'managed-keys.bind'
Mar 29 16:26:19 vps named[25046]: automatic empty zone: 10.IN-ADDR.ARPA
Mar 29 16:26:19 vps named[25046]: automatic empty zone: 16.172.IN-ADDR.ARPA
[......]
Mar 29 16:26:19 vps named[25046]: automatic empty zone: B.E.F.IP6.ARPA
Mar 29 16:26:19 vps named[25046]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 29 16:26:19 vps named[25046]: open: /etc/rndc.key: file not found
Mar 29 16:26:19 vps named[25046]: couldn't add command channel 127.0.0.1#953: file not found
Mar 29 16:26:19 vps named[25046]: open: /etc/rndc.key: file not found
Mar 29 16:26:19 vps named[25046]: couldn't add command channel ::1#953: file not found

I can create them but there must be an easy way?

 

[Mattie]

I started the old version again and looked in the config:

Mar 29 16:32:58 vps named[25259]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='

Do you think it may be best if i recompile the new version WITH those flag's to ensure optimal compability?

 

[Arieh]

It's only one more,those 2 warnings are related.

ln -s /etc/bind/rndc.key /etc/rndc.key

Then it should be all good.

I suppose you could use those configure parameters but I would still change the prefix from /usr to /usr/local to not overwrite the os package.

 

[Mattie]

It's only one more,those 2 warnings are related.

ln -s /etc/bind/rndc.key /etc/rndc.key

Then it should be all good.

I suppose you could use those configure parameters but I would still change the prefix from /usr to /usr/local to not overwrite the os package.

Hi, sorry for the late reply. Due easter and the fact that i was sick i didn't have any time before today.
I think i'm all set now!

root@vps:~# dig @ns1.mattie-systems.nl version.bind txt chaos

; <<>> DiG 9.9.2-P2 <<>> @ns1.mattie-systems.nl version.bind txt chaos
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16516
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT "9.9.2-P2"

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 0 msec
;; SERVER: 87.119.221.117#53(87.119.221.117)
;; WHEN: Fri Apr 5 11:02:42 2013
;; MSG SIZE rcvd: 76

Thanks for your help! I hope it will keep working