Production BIND DNS servers - Do you use the package manager or compile the latest stable edition?

Solution 1:

Generally I keep up-to-date using the vendor latest packaged version. In the case of RH (and Centos) although their major release number might not change on a package, they usually backport key and critical patches from the later releases.

To make things easier for me, in the event that I do really want to go to a much later release in a package is to download the vendor source package, get the new version of the software to be compiled, fix the specs package for the package to accommodate the new version. Once the package(s) is generated from running an rpmbuild, I can then rpm --install it. One nice thing about doing it this way is that the final resting spots and configure options are preserved without a lot of hassle.

Solution 2:

I use the packages version, ESPECIALLY for internet-facing applications. If you use a major distro like Centos, Red Hat, Ubuntu, or Debian, you will get all the latest security fixes, even if it is not the latest major version number. Security and stability are much more important than having the absolute latest features, especially with something like BIND.

Solution 3:

I'm going to go against the flow on this one. For something that faces the Internet I prefer to use the latest stable version, so I build from source. I don't know about Red Hat but CentOS packages tend to be a fair bit behind the latest versions, which means you may well be installing something that already has known security issues. I just get nervous about that kind of thing.