Symptom:Vulnerabilities are occasionally discovered in the BIND name server, and updates are then prepared and released to address these. It’s important to stay informed regarding such problems, and to try to stay reasonably current.
ISC (which currently stands for Internet Systems Consortium) maintains a web page detailing the problems that have been found in the BIND name server.
Find Out What You HaveThe solution to such vulnerabilities is almost always to upgrade to a current version of the BIND name server. If you’re not sure what version you currently have, you can find out by asking it.
Determine what binary you’re using. If there’s just one copy installed, you can probably use whereis named to find out. If you think you might have more than one copy installed, especially if the copy in use might be in a non-standard location, you’ll have to examine something like ps axww | grep named | grep -v grep and/or the named init script in order to find out where it is.
Execute this command, replacing the ‘/path/to’ with the correct path to your active copy of named:
/path/to/named -vThis should tell you what version of named you’re using.
Staring with BIND 9.6.0, the parameter "-V" will print out the compile time configuration of the installed BIND version:
$ named -V BIND 9.6.0-APPLE-P2 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--sysconfdir=/private/etc' '--localstatedir=/private/var' '--enable-atomic=no' 'CFLAGS=-arch x86_64 -arch i386 -arch ppc -g -Os -pipe ' 'LDFLAGS=-arch x86_64 -arch i386 -arch ppc ' 'CXXFLAGS=-arch x86_64 -arch i386 -arch ppc -g -Os -pipe '
Compiling and Installing BIND 9To upgrade, first see if your operating system vendor supplies an update package that’s sufficiently current. If not, take the following steps:
- Download the source code for BIND 9 from ISC. Look here: http://www.isc.org/sw/bind/.
- Decompress the archive. For example, this often works:
tar xzf bind-*.tar.gz''On some operating systems, you must use something like this instead:
gzcat bind-*.tar.gz | tar x
- Configure and make:
cd bind-* ./configure && makeYou might want to specify the same configuration options that you can find with "-V" (see above) from your installed copy of BIND.
- Install. As root (or using sudo, if you’re able), copy or move the newly compiled version into place, replacing your old binary. For example, on many operating systems:
su # or possibly sudo -s cd bin cp named/named rndc/rndc /usr/sbin exitYou might also want to install some of the other binaries, such as bin/dig/dig, bin/dig/host, bin/check/named-checkconf, bin/check/named-checkzone, etc. A fairly complete installation, including manpages but not including lwresd, might look like this (but note that the correct location of manpage files varies by platform):
su # or possibly sudo -s cd bin cp check/named-checkconf check/named-checkzone dnssec/dnssec-keygen \ dnssec/dnssec-signzone named/named rndc/rndc-confgen rndc/rndc /usr/sbin cp dig/dig dig/host dig/nslookup nsupdate/nsupdate /usr/bin cp */*.8 /usr/share/man/man8 cp */*.5 /usr/share/man/man5 cp */*.1 /usr/share/man/man1 exit
- Make any necessary changes to your configuration. For example, if you’re moving from BIND 8 to BIND 9 with the Men & Mice Suite installed, you must make significant changes to your configuration files to accomodate using rndc instead of ndc, as well as updating the logging statement. The details are given in other knowledge base articles.
- Stop and start both named and the Men & Mice DNS Server Controller. This can be done using their respective init scripts