Jaroslaw Rafa wrote:
> Hello,
> It's my third attempt to send this to the list - two previous didn't get
> through, so please excuse me for possible duplicates if they appear later...
> Due to recent exploits I have to upgrade to the newest version of BIND.
> My DNS server is a quite old machine, running BIND 4 on Solaris 2.5.1. I
> didn't upgrade because the OS lacks many libraries and syscalls and it's
> hard to get newest versions of programs compiled under it. The machine
> is about to be completely replaced by a new one running under Solaris 9,
> but the migration is delaying due to various reasons and it can take
> several months until it is finished. However, because of the recent
> vulnerabilities, BIND has to be upgraded *now*.
> And here I have some problem. I successfully compiled BIND 9.5.0-P1 on
> my system, but when I run "make test" after the build, some of the tests
> fail. The tests that fail are: cacheclean, forward, lwresd, rrsetorder
> and upforwd (the same applies for BIND 9.4.2-P1). My question is: how
> severe is this? Can something bad happen if I run the nameserver with
> these tests failing or may I safely ignore this? I can send the detailed
> test output if needed.

Last time I built BIND on an unfamiliar platform (AIX if you must know),
I had some failing tests as you describe. Turns out, named was actually
*dying* during the tests and that's why some of the tests were failing.
The test harness/subsystem wasn't very clear on the whole
death-of-its-major-component thing. I ended up having to use a later
version of gcc in order for named to not crash and for the tests to pass.

So, yeah, this might be very serious. named dying in production might be
rather inconvenient. You might want to dig deeper into why those
particular tests are failing.

- Kevin