My master nameserver runs BIND 9.9, so I can do DNSSEC easily. I’ve installed from ports, but used the REPLACE_BASE option so that it overwrites the BIND 9.8.3 install included in the base system. That way I don’t have to worry about having multiple versions of the same command on different systems.
I patch this system via freebsd-update. After applying the latest security patches, I got the following email:
The following files will be updated as part of updating to 9.1-RELEASE-p3:
/usr/bin/dig
/usr/bin/host
/usr/bin/nslookup
/usr/bin/nsupdate
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/rndc-confgen
I don’t want freebsd-update to patch these files. I also don’t want to get an email every day telling me that I need to patch them. I know I don’t need to patch them.
The solution? Tell freebsd-update to ignore these files with the IgnorePaths directive in /etc/freebsd-update.conf. I copied the list of files from the email and added IgnorePaths before them.
...
IgnorePaths /usr/bin/dig
IgnorePaths /usr/bin/host
IgnorePaths /usr/bin/nslookup
IgnorePaths /usr/bin/nsupdate
IgnorePaths /usr/sbin/ddns-confgen
IgnorePaths /usr/sbin/dnssec-dsfromkey
IgnorePaths /usr/sbin/dnssec-keyfromlabel
IgnorePaths /usr/sbin/dnssec-keygen
IgnorePaths /usr/sbin/dnssec-revoke
IgnorePaths /usr/sbin/dnssec-settime
IgnorePaths /usr/sbin/dnssec-signzone
IgnorePaths /usr/sbin/lwresd
IgnorePaths /usr/sbin/named
IgnorePaths /usr/sbin/named-checkconf
IgnorePaths /usr/sbin/named-checkzone
IgnorePaths /usr/sbin/named-compilezone
IgnorePaths /usr/sbin/named-journalprint
IgnorePaths /usr/sbin/rndc-confgen
...
The complication here is that I must watch out for BIND security advisories, rather than just trusting in the update process. But that’s normal.