Upgrading BIND FC4 and RH9

I have two servers that need BIND upgraded to the patched versions, YUM is of no help, neither is APT. TH FC4 version is
bind.i386 24:9.3.1-20.FC4 installed

The RH9 version is
bind-9.2.1-16

What steps do I need to take to upgrade to a patched version and what impact will it have during the upgrade? Should I start with the slave server on FC4?

 

FC4 and RH9 aren't supported anymore so I guess you have to compile BIND yourself...

 

Great, dont have a clue on how to do that.

 

Hey, I'm in the exact same boat!
did not think there was anybody else out there running FC4 and RH9.

Do you want to update the BIND due to the exploit that has been in the news recently? If so, there may be a 'better' way to avoid the problem. Are you comfortable with iptables ?

 

Yes and No.

 

Got a contribution yesterday that shows how to fix BIND. Will publish it tomorrow.

 

This?
http://www.howtoforge.com/how-to-patch-bind-to-avoid-cache-poisoning-fedora-centos

 

Yes. I've just written a similar guide for Debian that I will publish today.

 

when I try:

Code:

dig +short @net.company.abc porttest.dns-oarc.net TXT

with net.company.abc being the address for our DNS IP,
I get:

I've tried a few times the past couple of days.

 

Are you sure that your name server is running and can be accessed (firewall)?

 

yepp, the ip address is useable for outsiders.
I tried running it from another system that is running
version 8.3 of dig. It does not support the '+short' option but without it , the (munged) return is:

 

Can you try the IP address instead of the hostname?

 

Code:

dig  @300.3.3.300 porttest.dns-oarc.net TXT

 

update fc9

Hi

I have recently upgraded 2 rh8 servers so I know the process will be the same for the rh9 one.

I downloaded bind-9.5.0b3 from the bind site. you should be able to follow the below steps (I grabbed them from my bash history) , make sure you backup all your bind configs first. Also the new bind binary will be installed to /usr/local/sbin and the old one will still be in /usr/sbin.

1, extract the tar file
tar -zxvf bind-9.5.0b3.tar.gz

2, change into the new directory
cd bind-9.5.0b3

3, Configure the software, (I don't remember why I needed the ssl switch)
./configure --disable-openssl-version-check
make
make install

4, symlink the old to the new.
cd /usr/sbin
mv named named.orig
ln -s /usr/local/sbin/named named

5, restart named
/etc/init.d/named restart

The above worked for me on 2 servers but I did have the luxury of having a 3rd server which was not running bind to test it on. If you have a spare/non-dns RH server to use as a test I suggest you use it. I also added the below to my named.conf in the options section

pid-file "/var/run/named/named.pid";

I hope this helps


Wayne

 

the

Code:

--disable-openssl-version-check

is to stop it from complaining about the version of OpenSSL that is installed. We have OpenSSL 0.9.8b 04 installed on our RedHat Enterprise5 and can not find a more current one to install.

I built and installed bind-9.5.0-P2 on the RHE5 which had no previous bind on it , but it did not install anything for /etc/init.d and when I try

Code:

service named status

i get a response of "named: unrecognized service" , even though /usr/local/sbin/named exists.

 

Hello

All of mine had a previous version of bind installed so I guess it's using the original init script. Below is a copy from one of mine.

Code:

#!/bin/bash
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0

[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named

# [ -f /usr/sbin/named ] || exit 0
[ -f /usr/local/sbin/named ] || exit 0

[ -f ${ROOTDIR}/etc/named.conf ] || exit 0

RETVAL=0
prog="named"

start() {
        # Start daemons.
        if [ -n "`/sbin/pidof named`" ]; then
                echo -n $"$prog: already running"
                return 1
        fi
        echo -n $"Starting $prog: "
        if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then
                OPTIONS="${OPTIONS} -t ${ROOTDIR}"
        fi
        # Since named doesn't return proper exit codes at the moment
        # (won't be fixed before 9.2), we can't use daemon here - emulate
        # its functionality
        base=$prog
        named -u named ${OPTIONS}
        RETVAL=$?
        usleep 100000
        if [ -z "`/sbin/pidof named`" ]; then
                # The child processes have died after fork()ing, e.g.
                # because of a broken config file
                RETVAL=1
        fi
        [ $RETVAL -ne 0 ] && failure $"$base startup"
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named && success $"$base startup"
        echo
        return $RETVAL
}
stop() {
        # Stop daemons.
        echo -n $"Stopping $prog: "
        /usr/sbin/rndc stop
        RETVAL=$?
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named || {
                killproc named
                RETVAL=$?
                [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
        }
        echo
        return $RETVAL
}
rhstatus() {
        /usr/sbin/rndc status
        return $?
}
restart() {
        stop
        start
}
reload() {
        /usr/sbin/rndc reload >/dev/null 2>&1 || /usr/bin/killall -HUP `/sbin/pidof -o %PPID named`
        return $?
}
probe() {
        # named knows how to reload intelligently; we don't want linuxconf
        # to offer to restart every time
        /usr/sbin/rndc reload >/dev/null 2>&1 || echo start
        return $?
}  

# See how we were called.
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        status)
                rhstatus
                ;;
        restart)
                restart
                ;;
        condrestart)
                [ -f /var/lock/subsys/named ] && restart
                ;;
        reload)
                reload
                ;;
        probe)
                probe
                ;;
        *)
                echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|probe}"
                exit 1
esac

exit $?

Make sure the file is executable.

If running the below works

Code:

/etc/init.d/named start

I believe you can run the below which should then start named/bind on every boot.

Code:

chkconfig --levels 235 named on

I hope this helps



Wayne

 

I've just tested this on a Centos VM without named being previously installed.
The install creates the binary's but does not install any of the base config files and it does not add the named user to the system. You will need a working copy of these files to get it up and running, I have a copy of mine in /root/workingdns

I had to run the below to get it working after running "make install"

Code:

cd /usr/sbin
ln -s /usr/local/sbin/named named
useradd -m -c named -s /bin/false named
cp /root/workingdns/named.conf /etc/
cp /root/workingdns/rndc.key /etc/
mkdir /var/named
cp /root/workingdns/named.ca /var/named/
mkdir /var/run/named
chown named:named /var/run/named
chown -R named:named /var/named/
cp /root/workingdns/named /etc/init.d/
chmod +x /etc/init.d/named
chkconfig --levels 235 named on

It might be easier to add bind via yum if you can, then you can run my original instructions to update it if Redhat have not released a update.


Wayne