From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 15:05:57 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D4BA1065676; Thu, 10 Jul 2008 15:05:57 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id 2B6848FC0A; Thu, 10 Jul 2008 15:05:56 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.2/8.14.2) with ESMTP id m6AEfZ7l038897; Thu, 10 Jul 2008 18:41:38 +0400 (MSD) (envelope-from marck@rinet.ru) Date: Thu, 10 Jul 2008 18:41:35 +0400 (MSD) From: Dmitry Morozovsky To: stef@memberwebs.com In-Reply-To: <20080709204114.471A2F1835D@mx.npubs.com> Message-ID: <20080710183843.Q58331@woozle.rinet.ru> References: <20080709204114.471A2F1835D@mx.npubs.com> X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (woozle.rinet.ru [0.0.0.0]); Thu, 10 Jul 2008 18:41:38 +0400 (MSD) Cc: "freebsd-security@freebsd.org" , Remko Lodder , Doug Barton , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 15:05:57 -0000 On Wed, 9 Jul 2008, Stef wrote: S> Thanks! S> S> Here are simple steps to use this instead of the base named (and easily S> go back later): S> S> # cd /usr/ports/dns/bind9 S> # make && make install S> # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf S> # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf S> # /etc/rc.d/named restart S> S> LMK if I missed something. (or use NO_BIND= in /etc/make.conf and WITH_REPLACE_BASE= on port options, but be careful when upgrading configs...) Just to have you and other related parties informed of a pitfall I stepped into: -- 8< -- From: BIND9 Bugs via RT Subject: [ISC-Bugs #18265] AutoReply: bind update to 9.4.2.1: 'empty label' inconsistent check ------------------------------------------------------------------------- Dear Doug and ISC maintainers, just updated bind94 on our master server and found that together with vulnerability fixes there is at least one glitch in configuration checks History: we have automatic scripted system to secondary some zones from one of our partners. so, part of named.conf is auto-generated, then checked via named-checkconf and then applied. After today upgrade I found that new server failed to start, which is really a PITA, as it has 13k+ authoritative zones. Named-checkconf does not return an error. named reports 'empty label' without any reference to config file and/or line number. After some nervous minutes of binary search ;-) I found the offending line, which erroneously contains two dots instead of one. I suppose this should be fixed at least in named-checkconf. -- 8< -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------