DNS Cache Snooping?

[Jeff Lightner]

Adam,

Thanks - I specifically didn't want to roll my own for the support
reasons you mention.

Having said that though, I do think that having the latest "stable"
release of bind and bind-chroot would make sense to me.  It hardly seems
reasonable to me to say "You need to wait to upgrade RHEL completely" to
get the next release of a given application.   It seems it could be
keyed somehow so that only the folks that specifically wanted to update
to 9.4.x from 9.3.x would do so when they ran updates or yum update.

Anyway thanks for putting the fix for the CVE I mentioned earlier in the
thread - it was caught by one of our scans so would have been caught by
our next PCI scan as well.  Unfortunately the catch complains about
"version 9.3.4 P1 so we'll have to write up that it is resolved in the
specific RPM we have installed.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Adam Tkac
Sent: Tuesday, June 24, 2008 5:20 PM
To: Paul Vixie
Cc: comp-protocols-dns-bind at isc.org
Subject: Re: DNS Cache Snooping?

On Tue, Jun 24, 2008 at 05:19:21PM +0000, Paul Vixie wrote:
> "Jeff Lightner" <jlightner at water.com> writes:
> 
> > I'm running RHEL5 and am using the canned bind-chroot they provide.
Is
> > it possible they compiled in such a way that they excluded
> > allow-query-cache as an option altogether?
> 
> you will probably need to download the latest version of BIND and
install
> it from sources.  redhat should ideally offer an RPM that will do that
for
> you, voiding your support only on this one element of their enterprise
> system, but i think you're on your own.
> -- 
> Paul Vixie
> 

allow-query-cache was introduced in 9.4 series. When RHEL5 was
released 9.4 version was in beta stage so it was impossible put it
there. Now it is no way to put 9.4 into RHEL5 because it could break
existing configurations.