[NANOG] Re: Reasons why BIND isn't being upgraded

• Previous message (by thread): [NANOG] Re: Reasons why BIND isn't being upgraded
• Next message (by thread): [NANOG] Re: Reasons why BIND isn't being upgraded
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 1 Feb 2001, Pete Ehlke wrote:

> Pim van Riezen (pi at vuurwerk.nl) said, on [010201 17:29]:
> >
> > This is untrue. I expected this same thing. Then I ran into these gems of
> > bogosity while updating 8.2.2-P7 to 8.2.3:
> >
> > (1) 8.2.3 Doesn't accept the "(" in the SOA string to be on the next line
> >     after the IN SOA. Our script-generated zonefiles, about 45000 of them,
> >     all had this.
>
> Not accepting a bogus zone file is hardly classifiable as "bogosity".

Parsing human input isn't hard, you know. Robustness doesn't come from
being anal. If there's a bogus entry, reject the entry not the entire
zone. The rejection as such doesn't even classify as bogosity, it's the
fact that this rejection is _introduced_ in a 0.0.1 upgrade that is
advertised as an Urgent Security Fix and is being discussed right here on
this list in wonder considering why some people haven't upgraded yet. I'm
telling you that if I run into these problems (and manage to eventually
fix them) others will too and it will be for these reasons.

I also seriously counter your claim that having this bracket on the next
line is in any way bogus. It's visually superior to the now enforced
option of having it on the same line. There is nothing in the parser not
to understand it. Spreading data across lines is commonly accepted in a
lot of configuration languages and bind has been among this in all
versions I previously ran. Why is that now suddenly bogus?

> > documentation (README, CHANGES) mentions any of these problems and I've
> > been bitten by them. Yes we're running 8.2.3-REL fine now, but it took a
> > couple of _expensive_ reloads to get everything right. If ISC wants my
> > trust in the future of their codebase, they will have to work on seeing
> > the difference between an "architecture upgrade" and a "security patch".
>
> So, you deployed a new version of bind to a non-trivial set of
> production servers without doing any testing on development or QA
> systems, and you're blaming your production problems on the isc? I'm
> fairly certain that I'm glad you're not running my network,
> thankyewverymuch.

I followed all-out instructions to immediately upgrade to the new bind
because of alleged gaping security holes. We are short on staff on a major
scale[1] and our secondary was coping just fine. My complaint is not that
"ISC broke my network", noone did. My complaint was that I had to spend a
lot of time figuring out what should be blisteringly obvious.

I thank you for your character judgement anyway. May I add that I'm glad
I'm not working on your network, too? Your noc-list must be really cozy.
Hope you do get some work done besides excercising quick wit and
situational prejudice on other people.

Cheers,
Pi

[1] I'm the head of development, that's how short we are on admin staff
    ok? And this situation is not unique. Welcome to the real world.
    There are more Wanters in this world than there are Makers.

• Previous message (by thread): [NANOG] Re: Reasons why BIND isn't being upgraded
• Next message (by thread): [NANOG] Re: Reasons why BIND isn't being upgraded
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]