I'm the author of a number of patches to a number of OSS projects, mostly security related. So, I would love to know what this "authentication module" is. Sounds like it might be PAM or maybe Apache related?

Over the last year and half or so, a major OSS routing package, Quagga, was largely on "auto pilot". The maintainer was not being responsive and outstanding patches were piling up and releases were over due. This project was, in and of itself a fork of an earlier project, Zebra, that had gone stale and been largely abandoned by its developers. Several months ago he popped up back out of the woodwork explaining that his job (that supported his work on this project) had been overwhelming and he had gotten way behind in things. Since then, most of the patches that had piled up in his queue have been integrated and several releases have cycled out and the project is now approaching it's first 1.0 release candidate. That project is alive and active once again but, before he returned some people were already starting to talk of yet another fork.

It happens and it can take time. If the project has a list, post to it and seek out some of the past contributors. Don't give up on him, he may be just extremely busy putting food on the table. The entire CentOS distribution was threatened by the absence of their lead (covered in other SlashDot articles). He showed up after all the publicity.

On the other hand, some projects deserve to die. A couple of VPN projects and crypto projects have been abandoned by their authors and maintainers and don't deserve to be resurrected (bugs, security holes, etc) even though they still had followers. Doesn't sound to be the case here but it's hard to tell without knowing what it is.

Perhaps you should rethink that mistake and create a real "master" and make them "slaves". The system was designed this way for a reason. It baffles me why people do things this this way.

A server behind a firewall does not imply a server on a private network. You can have firewalls in front of a DMZ on a public address providing services. Firewalls are used for much more than merely "private networks". Those are two orthogonal issues.

OTOH... A master on a private network providing zone feeds to slaves on various other networks (firewalled or not) on public addresses would be a very good idea.

This isn't Windows...

# yum -y update named\* && service named restart

(Not sure if yum [or apt] would restart named and NOT willing to take the chance.)

How would that help with this? You don't even need dynamic updates enabled for this to be exploited.

From the advisory: "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert."...

So an obvious workaround is to only expose your slave DNS servers and to not expose your master server to the Internet. That's part of "best common practices" isn't it? You have one master and multiple slaves and you protect that master. Come on, this is pretty simple stuff. Just simple secure DNS practices should mitigate this. Yeah, if you haven't done it that way to begin with, you've got a mess on your hands converting and it's easier to patch. But patch AND fix your configuration.