I have two servers that need BIND upgraded to the patched versions, YUM is of no help, neither is APT. TH FC4 version is bind.i386 24:9.3.1-20.FC4 installed The RH9 version is bind-9.2.1-16 What steps do I need to take to upgrade to a patched version and what impact will it have during the upgrade? Should I start with the slave server on FC4?
Hey, I'm in the exact same boat! did not think there was anybody else out there running FC4 and RH9. Do you want to update the BIND due to the exploit that has been in the news recently? If so, there may be a 'better' way to avoid the problem. Are you comfortable with iptables ?
when I try: Code: dig +short @net.company.abc porttest.dns-oarc.net TXT with net.company.abc being the address for our DNS IP, I get: I've tried a few times the past couple of days.
yepp, the ip address is useable for outsiders. I tried running it from another system that is running version 8.3 of dig. It does not support the '+short' option but without it , the (munged) return is:
update fc9 Hi I have recently upgraded 2 rh8 servers so I know the process will be the same for the rh9 one. I downloaded bind-9.5.0b3 from the bind site. you should be able to follow the below steps (I grabbed them from my bash history) , make sure you backup all your bind configs first. Also the new bind binary will be installed to /usr/local/sbin and the old one will still be in /usr/sbin. 1, extract the tar file tar -zxvf bind-9.5.0b3.tar.gz 2, change into the new directory cd bind-9.5.0b3 3, Configure the software, (I don't remember why I needed the ssl switch) ./configure --disable-openssl-version-check make make install 4, symlink the old to the new. cd /usr/sbin mv named named.orig ln -s /usr/local/sbin/named named 5, restart named /etc/init.d/named restart The above worked for me on 2 servers but I did have the luxury of having a 3rd server which was not running bind to test it on. If you have a spare/non-dns RH server to use as a test I suggest you use it. I also added the below to my named.conf in the options section pid-file "/var/run/named/named.pid"; I hope this helps Wayne
the Code: --disable-openssl-version-check is to stop it from complaining about the version of OpenSSL that is installed. We have OpenSSL 0.9.8b 04 installed on our RedHat Enterprise5 and can not find a more current one to install. I built and installed bind-9.5.0-P2 on the RHE5 which had no previous bind on it , but it did not install anything for /etc/init.d and when I try Code: service named status i get a response of "named: unrecognized service" , even though /usr/local/sbin/named exists.
Hello All of mine had a previous version of bind installed so I guess it's using the original init script. Below is a copy from one of mine. Code: #!/bin/bash # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 55 45 # description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "${NETWORKING}" = "no" ] && exit 0 [ -f /etc/sysconfig/named ] && . /etc/sysconfig/named # [ -f /usr/sbin/named ] || exit 0 [ -f /usr/local/sbin/named ] || exit 0 [ -f ${ROOTDIR}/etc/named.conf ] || exit 0 RETVAL=0 prog="named" start() { # Start daemons. if [ -n "`/sbin/pidof named`" ]; then echo -n $"$prog: already running" return 1 fi echo -n $"Starting $prog: " if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then OPTIONS="${OPTIONS} -t ${ROOTDIR}" fi # Since named doesn't return proper exit codes at the moment # (won't be fixed before 9.2), we can't use daemon here - emulate # its functionality base=$prog named -u named ${OPTIONS} RETVAL=$? usleep 100000 if [ -z "`/sbin/pidof named`" ]; then # The child processes have died after fork()ing, e.g. # because of a broken config file RETVAL=1 fi [ $RETVAL -ne 0 ] && failure $"$base startup" [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named && success $"$base startup" echo return $RETVAL } stop() { # Stop daemons. echo -n $"Stopping $prog: " /usr/sbin/rndc stop RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named || { killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named } echo return $RETVAL } rhstatus() { /usr/sbin/rndc status return $? } restart() { stop start } reload() { /usr/sbin/rndc reload >/dev/null 2>&1 || /usr/bin/killall -HUP `/sbin/pidof -o %PPID named` return $? } probe() { # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/sbin/rndc reload >/dev/null 2>&1 || echo start return $? } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/named ] && restart ;; reload) reload ;; probe) probe ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|probe}" exit 1 esac exit $? Make sure the file is executable. If running the below works Code: /etc/init.d/named start I believe you can run the below which should then start named/bind on every boot. Code: chkconfig --levels 235 named on I hope this helps Wayne
I've just tested this on a Centos VM without named being previously installed. The install creates the binary's but does not install any of the base config files and it does not add the named user to the system. You will need a working copy of these files to get it up and running, I have a copy of mine in /root/workingdns I had to run the below to get it working after running "make install" Code: cd /usr/sbin ln -s /usr/local/sbin/named named useradd -m -c named -s /bin/false named cp /root/workingdns/named.conf /etc/ cp /root/workingdns/rndc.key /etc/ mkdir /var/named cp /root/workingdns/named.ca /var/named/ mkdir /var/run/named chown named:named /var/run/named chown -R named:named /var/named/ cp /root/workingdns/named /etc/init.d/ chmod +x /etc/init.d/named chkconfig --levels 235 named on It might be easier to add bind via yum if you can, then you can run my original instructions to update it if Redhat have not released a update. Wayne