Re: Update release 3.8 on AMD64 with a “fix” for the recent “DNS cache poisoning” vulnerability?

[Nick Holland]

skogzort wrote:
> Hello,
...[I don't care why, you just need to keep your system up-to-date]...

> I have inherited an Open BSD DNS server that provides external DNS for our web
> server and serves NTP for our infrastructure. I donbt know UNIX or Open BSD.
> Ibm reading through the Open BSD website and asking questions on the mailing
> lists to try and get an overview of what I need to do to upgrade/update/patch
> this server.B 
> It was suggested to me that I may have to bmanually merge the patchb,

anyone who tells you that is a complete idiot.
The people capable of doing that properly would be smart enough to not try
doing that in the first place.  Technically possible, of course, but the
wrong answer for a lot fo reasons.

> but
> I canbt find any instructions for that. I know that if I could upgrade our
> release to 4.2 or 4.3 then I could follow the instructions in the patch
> itself, but I wonder if that would be more work and potential for mistakes
> then necessary.

No, you NEED to keep your system up-to-date.  Events like this are why.
It is part of your life if you are exposed to the Internet.  If you were
keeping your system up-to-date, you would be annoyed by this, but not
at all distressed by it.

The reason we make the official process the official process is it is the
MOST likely to work and LEAST likely to provoke mistakes.

> I was also told to use bportsb, but I read that using
> ports was only for people who have experience with Open BSD and beginners were
> not allowed to ask questions in mailing lists about using ports.

Geez.  Whomever you are listening to, put wax in your ears and find some
non-fools to hang around with.

> My inexperience is a factor, I am looking for the shortest steps (so there
> will be less chance for error) that will still allow for a quick revert,
> should the bfixb fail.
> Thanks again to everyone who helped with my last question and who may help
> with this. I really appreciate your time and opinions. B B B 
> Kyle

NTP and BIND are in the basic OpenBSD install, it doesn't get much
easier than this.

Go grab yourself a six or seven year old computer, 128M of RAM or more
and install OpenBSD 4.3 on it.  Now, re-implement your existing system
on that new machine, following FAQ 4 for the install.  Now bring it up
to -stable, following FAQ 5.  ta-da, you are now running a secured
system.

Now, even though this very old computer will do everything you
probably need it to do, it is embarrassing to replace newish hw with
old junk, so you probably need to buy a new disk for your amd64 system,
(yes, there are a lot of applications where a 400MHz 128M system won't
do the job for your DNS server, but most people don't need much.)

install OpenBSD 4.3 on it, and do the same thing.  Since you have
already done this, it will go quickly.  if things go wrong, you still
have your old disk sitting around.

What I'd actually recommend doing is using the 4.4-beta snapshots that
are out now, which will work better and more securely than 4.3-stable,
and be a lot less work.  In that case, you would install, configure,
test, go home.  In November, when 4.4 comes out, you just do a minor
upgrade, which should cause almost zero downtime and one reboot to
bump yourself to 4.4-release, then every six months, just do a routine
upgrade.  However, new users tend to get a bit skittish about using
software that says "-beta" on it, and you are already outside your
comfort zone...and the 4.3->stable process will be a good learning
experience for you anyway.

The "rebuild the system" is normally an extreme reaction, but in your
case, you are many releases behind, and bumping your way along from
from 3.8 to 3.9 to 4.0 to 4.1 to 4.2 to 4.3 would be a long, slow
process, and if you are now maintaining this system, an install and
configure would be a good way to get to know it...which you need to
do.

Configuring ntpd (assuming OpenNTPD) is trivial, probably two lines
in a file (see the FAQ and the man page for ntpd).  Configuring BIND
is..well..configuring BIND.  The difference with OpenBSD vs. the
others is we assume you are going to be using chroot, and it isn't
an add-on like it is on a lot of other OSs.

I've had the "pleasure" of doing this on a few non-OpenBSD OSs
recently... trust me, OpenBSD is what you want to be doing this
with.

Nick.