Re: Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?

To: debian-user@lists.debian.org
Subject: Re: Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?
From: Greg Wooledge <wooledg@eeg.ccf.org>
Date: Mon, 24 Jul 2017 09:23:20 -0400
Message-id: <[🔎] 20170724132320.pwzmdsrb4qiik3im@eeg.ccf.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] CAFMGiz8U1n0_N-bSRafBGVm7NUgx67nXeqqUAi1m3E-w4t_qNQ@mail.gmail.com>
References: <[🔎] CAFMGiz8U1n0_N-bSRafBGVm7NUgx67nXeqqUAi1m3E-w4t_qNQ@mail.gmail.com>

On Sun, Jul 23, 2017 at 06:55:09AM -0500, Tom Browder wrote:
> I would like to remove all bind9 packages from servers running bind9
> and install the latest bind9 from source.

Because you want to satisfy internal audits that don't understand how
Debian security patching works, right?  Right?  Right.  OK.

And you realize that this is LESS secure than using the Debian version,
or at least it will be way more work, because you will have to track
the security advisories yourself, and recompile the next upstream BIND
patch release yourself, every time there's a new security bug found.

Which is like once a week, with BIND.  Because it's the most horrifyingly
bug-ridden piece of software in the entire Unixsphere, after sendmail.

> Two questions, please:
> 
> 1.  Will there be any adverse consequences from the substitution if I
> install with --prefix=/usr/local?

That's the default.  You don't even need to specify it.

> 2.  Same question as 1 but for installation into --prefix=usr?

Don't do that.

Step 1: Get the BIND source and compile and install it.  You shouldn't
need any fancy ./configure options at all.

wooledg@svr4:/usr/src$ head bind-9.10.4-P8/config.log
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by BIND configure 9.10, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure 

Step 2: Create a systemd unit file to run your new service.  I based mine
on the Debian unit file.

wooledg@svr4:/usr/src$ cat /etc/systemd/system/bind9.service 
[Unit]
Description=BIND DNS server
After=network.target

[Service]
EnvironmentFile=-/etc/default/bind9
ExecStart=/usr/local/sbin/named -f $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

As you can see, I kept the Debian /etc/default/bind9 options file.
This includes, among other things, the -c option that tells BIND
where the master config file is.  I continued using Debian's configs,
because why not?  It's easy, and it's a known quantity.

Step 3: Remove but DO NOT PURGE the Debian bind9 package.  Unless you make
a copy of all the configs first and then restore them after the purge.
Or copy them into a different location, and change the unit file to read
them from the new location.

Step 4: Start up your local bind9.service.

systemctl daemon-reload
systemctl enable bind9.service
systemctl start bind9.service

Step 5: Infinite loop of checking for new upstream version, downloading,
compiling/installing, and restarting the service.

Whoops, looks like "9.10.4-P8" has been superseded again.

Time to get to downloadin'.

Reply to:

Follow-Ups:
- Re: Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?
  - From: Tom Browder <tom.browder@gmail.com>

References:
- Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: video driver - new thread
Next by Date: Re: video driver - new thread
Previous by thread: Re: Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?
Next by thread: Re: Bind 9: consequences of completely removind all bind9 packages on jessie and stretch)?
Index(es):
- Date
- Thread