Manually upgrading Bind / Named to version 9.9.1-P1 [Security patches].

Hi folks.

Latest Bind / Named version was released several days ago to patch this vulnerability.

The thread was started on PCLinuxOS Forum in the appropriate section to request it being upgraded but from what I can see members / devs are not really in the rush to get this version into the repository as almost no one votes for it or reports it as being looked at… Who would give a hairy rat’s behind about some stupid security patch huh? Right… Well I do.

So I have decided to just compile this thing myself. I have left the repository Bind installed and I have done this:

su

root's password

export PREFIX=`echo /usr/`

export PATH=$PREFIX/bin:$PATH

export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PREFIX/share/pkgconfig

cd /opt/

mkdir Bind

cd Bind

wget -c ftp://ftp.isc.org/isc/bind9/9.9.1-P1/bind-9.9.1-P1.tar.gz

tar xvzf ./bind-9.9.1-P1.tar.gz

cd bind-9.9.1-P1

./configure --prefix=$PREFIX --sysconfdir=/etc/

You can expect missing dependencies here. I had no problems whatsoever as I have a good few “devel” packages installed – try figuring out what You’re missing if You do run into a snag, then install it from Synaptic (without closing this window) and re-run the above configure step till there are no errors.

make

make install

ls --full /var/lib/named/var/

one of the listed items should look like this:

drwxr-xr-x 7 root root 4096 2012-06-15 23:51:43.468278052 +0100 named/

ls --full /var/lib/named/var/named

chown named:named /var/lib/named/var/named/

drwxr-xr-x 7 named named 4096 2012-06-15 23:51:43.468278052 +0100 named/

Now in this terminal window type in

tail -f /var/log/syslog

and leave it be.

Open another terminal window and run those commands:

su

root's password

named -v

the reply should look like this:

BIND 9.9.1-P1

service named restart

and the reply should look something like this:

Stopping named:                        [ OK ]
Starting named:                          [ OK ]

and in the same time in the first terminal window You should see output similar to this:

Jun 16 00:19:13 icsserver named[791]: starting BIND 9.9.1-P1 -u named -t /var/lib/named
Jun 16 00:19:13 icsserver named[791]: built with ‘–prefix=/usr/’ ‘–sysconfdir=/etc/’
Jun 16 00:19:13 icsserver named[791]: —————————————————-
Jun 16 00:19:13 icsserver named[791]: BIND 9 is maintained by Internet Systems Consortium,
Jun 16 00:19:13 icsserver named[791]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 16 00:19:13 icsserver named[791]: corporation. Support and training for BIND 9 are
Jun 16 00:19:13 icsserver named[791]: available at https://www.isc.org/support
Jun 16 00:19:13 icsserver named[791]: —————————————————-
Jun 16 00:19:13 icsserver named[791]: using 1 UDP listener per interface
Jun 16 00:19:13 icsserver named[791]: using up to 4096 sockets
Jun 16 00:19:13 icsserver named[791]: loading configuration from ‘/etc/named.conf’
Jun 16 00:19:13 icsserver named[791]: reading built-in trusted keys from file ‘/etc/named.iscdlv.key’
Jun 16 00:19:13 icsserver named[791]: statistics channel listening on 127.0.0.1#5380
Jun 16 00:19:13 icsserver named[791]: using default UDP/IPv4 port range: [1024, 65535]
Jun 16 00:19:13 icsserver named[791]: using default UDP/IPv6 port range: [1024, 65535]
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface eth1, 192.168.0.1#53
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface ppp0, 31.200.150.65#53
Jun 16 00:19:13 icsserver named[791]: generating session key for dynamic DNS
Jun 16 00:19:13 icsserver named[791]: sizing zone task pool based on 19 zones
Jun 16 00:19:13 icsserver named[791]: using built-in DLV key for view _default
Jun 16 00:19:13 icsserver named[791]: set up managed keys zone for view _default, file ‘/var/named/dynamic/managed-keys.bind’
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 10.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 16.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 17.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 18.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 19.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 20.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 21.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 22.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 23.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 24.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 25.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 26.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 27.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 28.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 29.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 30.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 31.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 168.192.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 127.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: D.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 8.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: A.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: B.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: command channel listening on 127.0.0.1#953

This should be it… You have compiled and are running latest patched version of Bind…

Regards.

Andy

Advertisements