[CentOS] BInd Problem or Update SSL ?

Fri Feb 18 21:15:28 UTC 2011
Always Learning <centos at g7.u22.net>

> From: Larry Vaden <vaden at texoma.net>
> Date: Sun, Jan 23, 2011 at 8:03 PM
> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?

> Our site running Centos 4.8 and 5.5 name servers was hacked with
> the result that www.yahoo.com is now within our /19 and causing
> some grief.

Don't understand what you mean by 'within our /19'. Have your IP ranges
changed?  If your Bind date is corrupt, why not re-install Centos and
then restore the domains data from one of your regular backups?

Is it a wise business decision to use C 4.8 instead of C 5 or the latest
which is C 5.5 ?

> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
> search facility at centos.org.  However, it is obvious from said
> searches that Mandriva upgraded last year.

I believe C6 will include an updated Bind.

> An attempt to install bind-9.7.2-P3 from source yields the warning
> below the sig for both 4.8 and 5.5 machines.

> Your OpenSSL crypto library may be vulnerable to .....
> one or more of the the following known security ....
> flaws:
> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and 
> CVE-2006-2940.
> It is recommended that you upgrade to OpenSSL
> version 0.9.8d/0.9.7l (or greater).

Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)

Name       : openssl
Arch       : x86_64
Version    : 0.9.8e
Release    : 12.el5_5.7
Size       : 3.4 M

The same version for i686.

Larry, why can't you install the latest OpenSSL ?

On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)

If you really need the latest Bind and can not wait about a month for C6
why don't you use a different flavour of Linux?  In business one can not
be too sentimental and difficult decisions have to be made all the time.

With best regards,