How to patch up Debian sarge bind9 TAKE TWO!

The blogosphere is great, I wrote up on how I patched up my bind9 and quite a few people contacted me or posted comments informing me that it was the wrong patch. I looked into it more today and finally got a real fix for it.

I could not find a patch to fix the DNS cache poisoning problem for bind-9.2.4, it is probably no longer maintained. So I had to compile it from scratch, for the impatient I have hosted the .deb here.

First remove old bind9 package and download bind-9.5.0-P1.tar.gz from and unpack:

$ mkdir /tmp/bind && cd !$ && tar -zxf bind-9.5.0-P1.tar.gz && cd bind-9.5.0-P1/

you might need one or all of these packages, if you’ve never build a .deb before you probably at least need dh-make

$ sudo apt-get install autotools-dev fakeroot dh-make

run dh_make and build:

$ dh_make

tweak configurations in the debian directory, I added –disable-openssl-version-check and –sysconfdir=/etc/bind to the configure options

$ sudo dpkg-buildpackage -rfakeroot

Now you should have a .deb in /tmp/bind, install it as usual

$ cd .. && sudo dpkg -i bind_9.5.0-P2-1_i386.deb

I think I didn’t configure the deb build options correctly so I didn’t get a /etc/init.d/bind9, if you’re missing that after the install, you can grab mine here. Also, when you removed bind9.2.4 it might’ve removed /var/cache/bin, if so, you need to create that directory, or whatever you specified as the directory in /etc/bind/named.conf.

If you have problems getting named to run, look for a file, it should have the error message on why it exited execution. Finally, you should verify it by running something like this:

$ dig +short @localhost txt
"x.x.x.x is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 19585"

If you see GREAT, it’s working, if you see POOR, then you’re still running an outdated version of named/bind9.

Leave a Reply