Arch Linux

I will upgrade BIND this time, but I don't know if I will have much time to waste on it in the future.
It really is a pile of crap, which is why it needs to be upgraded *immediately* almost every month; NSD is a much safer and lightweight alternative.
Anyway, since I will also be cleaning up the PKGBUILD, the package will maybe be released tomorrow or the day after.

Thanks a lot. FWIW, I'm running NSD on my other authoritative. ;-)

But lots of people rely on BIND, so it really should be kept up-to-date wrt. security fixes.

Alright, I have put bind-9.7.2.P2-1 in [testing].
Since I have changed lots of things (although it's mostly packaging cleanup), I'd appreciate if you could tell me whether it runs fine with your setup.
If there is no issue, I will move it to [extra].

Oh, wait. I did a tiny mistake which will be fixed in bind-9.7.2.P2-2, soon to appear in [testing] too. It's this new one that should be tested.

bind-9.7.2.P2-2 is finally in [testing]; let me know if it works for you.

No, the chown and chmod of /var/named broke my setup where /var/named is a symlink to /var/chroot/named/var/named.

I don't like all the chowning and chmodding in general, everybody's setup is different and your permissions/ownerships may not apply to others.

Also, I don't think daemons usually should have ownership of their own config files, just read access.

And particularly, with BIND and DNSSEC, many people keep their DNS keys inside /var/named, but unreadable for the named user (if they sign their zones with external tools, as root or another user). The chown -R makes them readable for the nameserver process, which poses a serious security risk!

The updated binaries work fine though.

Right. What I did is roughly equivalent to what the previous install script did. I'll try to make something better and let you know when it's done.

Could you perhaps already put the updated package (just my diff) in [extra], and keep the other package changes separate?

If I do that I'll never get to properly clean up this package. :)
I'm building the new version right now: x86_64 is taking some time, but i686 is done; if your architecture is i686 I can send you the package right away, otherwise they'll both be in [testing] in an hour or so.

Alright, bind-9.7.2.P3-3 is in [testing] now. Let me know how it goes for you.

Argh... I forgot to actually move it to [testing].
It is there now, please let me know if it works for you.
I made it not not change any file permission on update.

Yes, it looks ok now.

Also root.hint, localhost.zone etc keep their original 640 root:named permissions now (I did not notice these problems since I'm not running it as a recursive resolver).

Thanks!