Does cPanel support bind97(bind 9.7) of Centos5.6?

[toyama]

I want to use a package of bind97 by DNS of cpanel.
Will cPanel support this?
Or I want to know it if there are the movement results.

Thank

[cPanelTristan]

cPanel currently supports bind 9.3.6-16 rpms on a machine using CentOS 5.6 as this is the version that yum provides for the normal CentOS repositories. We do not support any bind rpms that aren't part of the default CentOS package system. If your package system is able to obtain a version newer than bind 9.3.6-16, then it would not appear to be using the default yum repositories.

[monixie]

A few things on this..

bind97 (Bind 9.7) is part of the normal CentOS 5.6 repository, its just that bind 9.3 is probably installed by default (or installed if you don't pick the other one).

I've been going through my webhost (hostgator) to upgrade to 9.7 because of issues with 9.3. And they basically told me cpanel doesn't support it so we don't. I asked them to contact cpanel, and they didn't seem to want to do that, and basically told me it will be supported when its supported. I figure they would be more open to listen to hostgator then myself since I'm not a direct customer.

Well.. the problem is that bind 9.3 on CentOS has NOT had any patches applied since Dec 2010. I don't know if they stopped patching it because 9.7 is also in the repository ?? 9.7 has had 3 updates since that time. The problem is 2 of these updates that are NOT on the current 9.3 backport of bind fail PCI testing (merchant credit card test). And since all these companies that test for PCI compliance use pretty much the same bug/vulnerability list, any one on an old unpatched machine will not be compliant pretty soon. Which in some cases can mean your merchant provider will charge you non-compliance fees or possibly pull your credit card processing account depending on your volume.

I was told to wait for 5.7.. but if cpanel doesn't want to support 9.7 because 9.3 is the default one installed.. well its looking like centos 5.7 will still have the same bind and bind97 packages simultaneously. I can force an install of 9.7 on the box.. but I'm not sure what if any config file issues I will have with cpanel. Probably be best if I just moved the DNS over to another box and handled it manually for a while.

So the question becomes.. Cpanel: Do you have an estimate on support for bind 9.7 on centos 5.6 ?

Regards,
-Moses

[cPanelTristan]

Since what you are asking is more of a feature request than a New User question, would you like me to move this over to the feature requests forum? The staff member who handles all feature requests would not necessarily have this thread come to his attention unless it's in the appropriate location.

[monixie]

Hello,

Any help you can provide is appreciated. If it needs to be moved because its considered a feature, I don't mind.

Regards,
-Moses

[sirdopes]

What cve's are you failing on?

[monixie]

Here is the current failing CVE list for what I believe is the latest update for bind (not bind97) on CentOS 5.6 (bind-9.3.6-16.P1.el5)

CVE-2010-0382
CVE-2009-0025
CVE-2011-1910

The last changelog for this version is from DEC 2010. The last changelog for bind 9.7 shows a last update of June 2011. Maybe they stopped patching 9.3? In which case this is going to get worse as time goes on.

The 2009 and 2010 CVEs don't show up in the changelog, it may or may not be patched I'm not certain. But CVE-2011-1910 is obviously not in there.

Regards,
-Moses

[monarobase]

Doesn't PCI require your site being on a dedicated server ? If so, have you considered upgrading to CentOS 6 ?

[monixie]

I don't think PCI requires a server be dedicated.. but I'm not sure.

It is on a dedicated machine.. but I have elected to have our hosting company 'manage' the machine. We pay extra for this so they can keep the machine up and running and more importantly up to date on security patches.

Their standard install is apparently centos 5.6 with cpanel, and since cpanel does not support the newer versions of bind (>9.3.x) they don't support it either. I could install it myself, but then they will not support any dns/bind/whatever issues that come up because they say cpanel does not support newer version of bind.

[sirdopes]

CVE-2009-0025 - This looks like it is caused by an older version of openssl and should not be an issue.

CVE-2010-0382 - This looks like it was caused by CVE-2009-4022. The change log shows the following :
- improve fix for CVE-2009-4022 (#538744)
- {C,D}NAMEs could be returned to clients without proper DNSSEC validation
- don't validate + cache out-of-bailiwick data returned with a secure answer.
Refetch it instead.

CVE-2011-1910 - Shows that it is for caching nameservers.

These should be able to be marked as false positives.

As for upgrading, as long as it does not cause a problem with how cpanel sets up dns records, it should not be a problem to upgrade. If cpanel has not verified that it works, then it could cause an error and take down all of the dns records for all of your domains.

[cPanelDavidG]

If you have BIND 9.7 installed, cPanel&WHM will work with it. If you encounter issues, please submit a support ticket.