< Day Day Up > |
If you use OpenBSD 3.5, BIND 9.2.3 is included in the standard base35.tgz file, which is the best way to manage it. If you keep your system up to date with patches (as described in Chapter 4), then you can probably keep BIND 9 up to date with the rest of the operating system. The OpenBSD project staff are scrupulous about screening the software they bundle and are aggressive about updating software like BIND when vulnerabilities are announced. If you stay up to date, you will be in good shape. A reasonable version of BIND 9 is included with the base OpenBSD operating system, and it is configured well, so we will not discuss how to install a separate version from scratch on OpenBSD. There are few, if any good reasons to do that, and many good reasons to stay with the version that is provided by the installation. Both FreeBSD 4.x-RELEASE and FreeBSD 5.x-RELEASE ship with BIND 8.3.4 by default. Though it is the opinion of the authors, rather than an objective fact, we believe BIND 9 is the better foundation for building your DNS infrastructure than BIND 8. The probability of new vulnerabilities being found in BIND 8 is considerably higher than in BIND 9. The discussion in this chapter, therefore, focuses on how to install, configure, and maintain BIND 9. 5.3.1. FreeBSDWith FreeBSD, you want to overwrite the default version of BIND by installing ports/dns/bind9 from the ports tree. If you do not overwrite the original version, you will have duplicate copies of critical BIND components. You could inadvertently invoke the wrong one, or a script whose PATH was incorrectly set could invoke the wrong one. The command-line syntax of both named and nsupdate have changed significantly between Versions 8 and 9. The FreeBSD ports system makes it easy to overwrite the installed version of BIND. There are two steps:
Note that the version tracked in ports/dns/bind9 is not always the absolutely latest version. It is occasionally behind by a few minor revisions, unless there is a major security concern. Most sites can usually get along safely without being on the bleeding edge. DNS is such a critical function that the FreeBSD port maintainers are a little conservative about updating it. |
< Day Day Up > |