how to get people to upgrade? (Re: The weak link? DNS)
Jeffrey C. Ollie
jeff at ollie.clive.ia.us
Wed Mar 26 16:18:13 UTC 2003
On Wed, 2003-03-26 at 09:24, Paul Vixie wrote:
> so here's a proposal. we (speaking for ISC here) could add a config option
> (default to OFF) to make bind send some kind of registration packet at boot
> time, containing an e-mail address for a technical contact for that server,
> and perhaps its hostname as well.
>
> [...]
>
> given such a feature, whose default was OFF, would anyone here who uses
> BIND stop using it out of protest? if so plz answer publically (on nanog).
I would not use such a feature, and I suspect that most people who would
use such a feature would not have a clue that it was there or how to
turn it on. What I would like to see is somewhat of the idea in
reverse. The ISC would host a zone that would contain TXT records with
security/bug advisories for every version:
$ORIGIN .
security-notice.bind IN SOA ns.isc.org. postmaster.isc.org. 1 7200 3600 604800 3600
$ORIGIN security-notice.bind.
8.3.3 IN TXT "Name: BIND: Multiple Denial of Service [yadda yadda yadda...]"
4.9.10 IN TXT "Name: LIBRESOLV: buffer overrun [yadda yadda yadda...]"
yadda yadda yadda...
Ideally the zone would be DNSSEC signed as well.
Then, by default, BIND would query the zone periodically (perhaps every
24 hours or so) for it's version. If any records are found it would log
a message and/or send email to root at localhost, which would be repeated
periodically (I'd log a message every time that a check was performed,
but I'd only email once a week). There would be config options so that
the clueful admin could customize/disable this behavior to his or her
liking.
This way no one would be collecting a central database of email
addresses, but everyone would get notified of security advisories in a
timely manner.
Jeff
More information about the NANOG
mailing list