how to get people to upgrade? (Re: The weak link? DNS)

william at elan.net william at elan.net
Wed Mar 26 13:58:18 UTC 2003


Thinking about it again, this would have additional advantage of 
collecting statistics at where bind is being used (you get ips of the 
servers) and what versions they are running. So even if they did not 
update the software, you can still find out where they are by ip address
and if situation is very very serious, some kind of proactive contact 
option would still be available.

On Wed, 26 Mar 2003 william at elan.net wrote:

> Personaly I'v not looked favorably at given my email to various lists, 
> although its probably way too late and everyone by now has it...
> 
> 1. I have another idea though, during setup of the server ask for email 
> address of list administrator, but keep that on the server itself.
> 2. Setup some dns server that provides dns record if there are necessary 
> updates (here is one example in reverse dns notation...: 
> 1.2.9.bind.updates.isc.org and set it to particular ip or 
> particular MX or whatever to show if update is needed).
> Possibly have this special update dns recorb be HINFO to url where more 
> information on update is available.
> 3. When bind starts if the record in #2 exists and shows that update is 
> necessary, have bind server email to address entered in 1 and with 
> abscense of that have it email to postmaster at computername.com and if HINFO 
> exists, it can take that and enter this as custome email.
> 
> The above also makes it unnecessary for ISC to maintain that huge email 
> database or email everybody (and probably get bunch of people angry at you 
> for spamming...). Anyway just a thought...
> 
> On 26 Mar 2003, Paul Vixie wrote:
> 
> > 
> > sean at donelan.com (Sean Donelan) writes:
> > 
> > > What even stranger about the Iraqi state provider Uruklink.net is the DNS
> > > servers are now self-identifying with earlier (with known bugs) versions
> > > of BIND.  Last week the Uruklink name server 62.145.94.1 was running
> > > 8.2.2-P5, but now is running 8.1.2.  ...
> > 
> > at http://www.isc.org/products/BIND/bind-security.html we see:
> > 
> > 	Name: "BIND: Remote Execution of Code"
> > 	[Added 11.12.2002]
> > 	Versions affected:     BIND 4.9.5 to 4.9.10
> > 	BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3
> > 	Severity:     SERIOUS
> > 	Exploitable:     Remotely
> > 	Type:     Possibility to execute arbitrary code.
> > 	Description:
> > 
> > 	When constructing a response containing SIG records a incorrect
> > 	space allows a write buffer overflow. It is then possible to
> > 	execute code with the privileges of named.
> > 
> > the list goes on.  i'm sure several folks will use this as an opportunity to
> > hawk their own alternative non-BIND DNS solution, i wish you well except plz
> > change the Subject: header on your reply since what i really want to talk
> > about is: how to get people to upgrade their software when defects are found.
> > 
> > sending out announcements through CERT and the bind-announce m/l isn't working.
> > 
> > so here's a proposal.  we (speaking for ISC here) could add a config option
> > (default to OFF) to make bind send some kind of registration packet at boot
> > time, containing an e-mail address for a technical contact for that server,
> > and perhaps its hostname as well.  the destination would be configurable, and
> > the format would be open, and we would include in the distribution a tool
> > capable of catching these.  any campus/WAN admin who wanted to run their own
> > "BIND registration system" could do so.  anyone who wanted to simply config
> > their server to send registration data to ISC could do so.  for data received
> > at ISC, we'd (a) keep it completely private other than public statistics,
> > (b) clean it of obvious trash (some people will sent registration data for
> > president at whitehouse.gov just for fun; we know that), and (c) use the contact
> > information only in the event that a security defect discovered in that
> > version.  remember, the default would be OFF.
> > 
> > given such a feature, whose default was OFF, would anyone here who uses
> > BIND stop using it out of protest?  if so plz answer publically (on nanog).
> > 
> > given such a feature, would anyone here create their own registration system
> > so they had their own database of local BIND instances on their campus/WAN,
> > or would anyone here config their servers to send registration data to ISC?
> > if so plz answer privately (i'll summarize to the list.)
> 




More information about the NANOG mailing list