Package: bind9 Version: 1:9.10.3.dfsg.P4-12.3+deb9u4 Severity: important Dear Maintainer,
https://kb.isc.org/article/AA-01639/0 worries me a lot. I don't think not using deny-answer-aliases is really an option, as this would lead to other security issues. Regards, Rob -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages bind9 depends on: ii adduser 3.115 ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u4 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libbind9-140 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libc6 2.24-11+deb9u3 ii libcap2 1:2.25-1 ii libcomerr2 1.43.4-2 ii libdns162 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libgeoip1 1.6.9-4 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libirs141 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libisc160 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libisccc140 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libisccfg140 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libk5crypto3 1.15-1+deb9u1 ii libkrb5-3 1.15-1+deb9u1 ii liblwres141 1:9.10.3.dfsg.P4-12.3+deb9u4 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii lsb-base 9.20161125 ii net-tools 1.60+git20161116.90da8a0-1 ii netbase 5.4 bind9 recommends no packages. Versions of packages bind9 suggests: ii bind9-doc 1:9.10.3.dfsg.P4-12.3+deb9u4 ii dnsutils 1:9.10.3.dfsg.P4-12.3+deb9u4 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/db.root changed [not included] /etc/bind/named.conf changed [not included] -- debconf information: bind9/start-as-user: bind bind9/different-configuration-file: bind9/run-resolvconf: false