Although we do not recommend it, some sites may prefer to continue using the deprecated BIND 4.x for whatever weird reasons rather than upgrade to 8.x or 9.x. Unfortunately, some security features (running as a non-root user and in a chrooted environment) were in 8.x+ only. This patch makes these available back in 4.x (well, with some changes) and adds OpenBSD-style random IDs (the implementation differs, though).
You can read instructions on setting up the jail.
These files are also available from the Openwall file archive.
Follow this link for information on verifying the signatures.
We may help you apply this BIND patch to your installs and/or setup the BIND chroot jail for you, please check out our services.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for this vulnerability, originally developed by Jun-ichiro itojun Hagino of NetBSD.
Note that in order to make use of the fixes you need to rebuild all applications that are statically linked against and make use of the BIND-provided resolver routines.
The BIND 4.9.7-OW5 patch contains fixes for the two most critical vulnerabilities (known as "infoleak" and "complain bug") that affect BIND 4.9.7. Older released versions of the BIND 4.9.7-OW patches didn't include these fixes and should be upgraded to at least 4.9.7-OW5 (the -OW patches, when used properly, reduced the impact of the "complain bug" vulnerability, though).
The BIND 4.9.8-OW1 patch no longer needs the "infoleak" and "complain bug" fixes (as these bugs are fixed in the 4.9.8 release), but adds a back-port of two fixes from BIND 8.2.2-P3+ (to the "naptr" and "maxdname" bugs, which are believed to be relatively minor and thus were not fixed in deprecated BIND versions including BIND 4).