BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address.
There is a new bug in BIND
, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2.
Basically, anyone can stop your BIND service (named), effectively shutting down your name resolution.
So if you administer name servers using BIND, you need to update NOW
Unfortunately, that means you cannot wait for binaries for your distribution to become available, you need to install from source.
- You need to install a development environment in your DNS servers
- Configuring and compiling can take a long time, using resources
- You need to uninstall the current packages, without losing your zone files and named config, including startup scripts.
configure a test server, configure, compile and install the new version of BIND from source, then copy all the files to the production servers. This way you disrupt the service for 20 sec max.
Caveat: all servers should run the same distribution and packages.
My servers all run Debian 7.8, with minimal packages installed, to reduce attack vectors.
1. Create a test server (either from scratch, or by cloning one of your production DNS servers).
2. Prepare the build environment
test-server:apt-get install build-essential libssl-dev
3. Download and extract the package: