Chapter 14. A Guide to BIND 4

BIND 4 is a dead-end, as far as development goes. The ISC is not developing it, and the only possible reason to run it is that some policy, such as "use only vendor supported software," forces you to use a UNIX-vendor supplied version of BIND. In many cases, this means you must use BIND 4. That doesn't necessarily completely limit you to BIND 4, though, because the ISC sells support contracts to BIND users, and you can, in fact, have a vendor-supported BIND 8. See the site at http://www.isc.org/ for more information. If that still is not enough to upgrade to BIND 8, be aware that BIND 4 has security problems that your OS vendor might or might not have done anything to fix in the version you have. (Actually, some people claim that BIND 4.9.7 is more secure than BIND 8. However, there has never been any remote root exploit for BIND 4.9.7, whereas for noncurrent versions of BIND 8, root exploits do exist. For this reason, OpenBSD still ships with BIND 4.9.7. BIND 4.9.7 suffers from some other problems with security impact, though mainly cache poisoning.) Several UNIX vendor versions of BIND 4 are fixed and patched in some respects, though, so they do not correspond to the information you might find on the Internet about problems with the same version of ISC BIND 4. If you install all available BIND/named and libc/NIS/YP/resolver and related patches from your vendor, it should be reasonably safe.

The latest release of BIND 4 from the ISC is BIND 4.9.7, which was released after BIND 8.1. In it, the ISC fixed bugs (including one important security bug) and memory leaks. Your UNIX-vendor BIND might be based on an older version than that. Still, as mentioned, they might have provided analogous fixes in their patch sets for your UNIX. You should make sure that you install any BIND- and resolver-related (possibly inside libc) patches your vendor supplies. And then hope your vendor fixed all the important problems.