Now is the Time for BIND Version 9.1.0
A flurry of warnings from several security watchdog agencies and individuals declared "Serious Internet Security Holes" and warn the internet community with dire headlines and an opening paragraph warning to Brace Up... The Games are about to begin. See Computer World Article: ref: http://computerworld.com/cwi/story/0,1199,NAV65-663_STO57079,00.html. While I'm not personally affiliated with any of the groups mentioned in the article I hold a responsible position within the community and owe my income to people who trust me to watch and warn them of potential security exposures. This one caught my attention. Not because its new but because the time seems right with the release of BIND (The Next Generation) 9.1.0.
I installed 9.1.0 early this morning after reading the hype and the 9.1.0 release notes. I'm impressed. The hardest part of the upgrade and conversion was fetching the tarball. We've all faced busy sites. This morning was typical new release, new kernel, first day of the newest kewlest toy.
After four or five busy-retry-redial attempts I was able to fetch the 3MB tarball from ftp.isc.org. Installation was simple and straightforward without any unpleasant surprises. OK, two easily worked around gotchas.
Of course the MD5 checksum has changed. As Bind 9.1.0 isn't available from an official FreeBSD source via cvsup no FreeBSD MD5 signature is available. Easy enough to work around from the command-line or by generating a new MD5 signature using the tarball and MD5 bind-9-1-0.tar.gz. Of course this proves nothing therefore I suggest you work around the MD5 checksum test at the CLI.
The bind Makefile changed and the Bind 9.0.0 patch-makefile.in required a one line change where BSD bind stores named.conf in /etc/namedb. I simply deleted the patch and moved on with the install.
An authors note recommends the use of your systems openssl in place of Binds Security apparatus in order to decrease working set size, overhead, and improve throughput using DNSSEC. We want to use DNSSEC where possible to insure the integrity of our DNS session partner and the exchanged authoritative namespace data.
There are several pre-Bind 9 options which are no longer supported and depricated. Bind issues a diagnostic and continues to initialize. You can take your time and make the changes at your leisure without losing time or wasting energy nor fighting off unnecessary aggrevation.
I built bind after installing the tarball and interrupting the configuration as follows.
1). bind9 configure at the prompt: configure --prefix=/usr --with-openssl=/lib
3). make test
4). ndc stop
5). pkg_remove bind-your-release
6). make install
7). move named.conf from /etc/namedb to /etc
8). named -u bind
Thats all there is to it. If you followed the instructions and your intuition bind is now up and running and happily serving to resolve foreign requests.
I've been monitoring my bind 9.1.0 for over 14 hours now. So far so good. All is working as described. Tomorrow I'll generate new DNSSEC keys and configure rndc which replaces ndc.
In closing I neglected to mention that ndc has is no longer included and has been replaced by a secure implementation of ndc called rndc. You can read about rndc and its new approache to security and control in the release notes and perhaps in a follow-up article.
Also of interest is nslookup. We were warned and knew it was simply a matter of time. Now its official... sort of. Nslookup now issues a diagnostic message on startup indicating its demise is eminant... get used to using dig and host. I'm sorry to see a faithful old dog retired... but like me sooner or later, everything faces renewal and we all find ourselves replaced. :)
EGaDS aka Steven Guitar Wicked
The bind announcement...
"No severity one exposures were added to the list today. The exposures were comprised zones enabling some wannabe asswipe to exercise an integrity exposure which resulted in a DoS. Bind Version 9.1.0 is a rewrite a quite nice. Its been running w/o a problem since early this morning. Bind version 9.1.0 enables the use of the base openssl library in place of binds builtin capability which they claim reduces overhead and improves throughput.