Installing BIND 9.2.0
Will Yardley
william-nospam-newdream-net at no.spam.veggiechinese.net
Sat Mar 23 09:55:41 UTC 2002
In article <a7hhah$nnk at pub3.rc.vix.com>, phn at icke-reklam.ipsec.nu wrote:
> Pete Ehlke <pde at ehlke.net> wrote:
>> Why ever would you think that you shouldn't change rc.conf? It's *there*
>> for you to change ;)
>
>> named_enable="YES"
>> named_program="/usr/local/sbin/named"
>> named_flags="-u bind -t /chroot/named"
> Bind-9 install scripts will install bind-9 under /usr/local/{bin |
> sbin} and leave the old binaries unaffected.
>
> This has the sideeffect that any usage of "dig" "nslookup" or even a
> manual start using "named" will launch the wrong binary.
>
> Replacing the binaries by placing bind 9 on the same locations
> /usr/{bin | sbin} will cure this. It will however create a
> vulnerability where an update of the host could actually overwrite
> your bind-9 with the "current" bind supplied with the distribution (
> freebsd has a "WITHOUT_BIND" directive, however i never seem to find
> it documented)
i think it's been discussed on the list before.
if you use cvsup to update your system, you can put:
NO_BIND= true
in /etc/make.conf, which i *think* is what you're talking about here.
> This leaves you in an hard and cold place, either locate bind 9 in
> /usr/local , with the risk that the wrong binary wil execute, or
> overwrite /usr that makes you system vulnerable to upate/patches.
i leave stuff in /usr/local/{bin|sbin}, but delete the old binaries /
man pages by hand (but with NO_BIND in make.conf so that they don't come
back when i update the system.)
--
No copies, please.
To reply privately, simply reply; don't remove anything.
More information about the bind-users
mailing list