[Re: how to get people to upgrade? (Re: The weak link? DNS)]

• Previous message (by thread): opentrasit.net problem?
• Next message (by thread): [Re: how to get people to upgrade? (Re: The weak link? DNS)]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Jeffrey C. Ollie" <jeff at ollie.clive.ia.us> wrote:
> 
> On Wed, 2003-03-26 at 09:24, Paul Vixie wrote:
> > so here's a proposal.  we (speaking for ISC here) could add a config
> > option
> > (default to OFF) to make bind send some kind of registration packet 
> > at boot
> > time, containing an e-mail address for a technical contact for that 
> > server,
> > and perhaps its hostname as well.
> >

options {
     ...
     ...
     // this option is here to remind you when it is time to be a
     // responsible netizen - choices are on or off, default is on
     fetch-clue on
     ...
}

> > [...]
> >
> > given such a feature, whose default was OFF, would anyone here who 
> > uses
> > BIND stop using it out of protest?  if so plz answer publically (on 
> > nanog).
> 
> I would not use such a feature, and I suspect that most people who would
> use such a feature would not have a clue that it was there or how to
> turn it on.  What I would like to see is somewhat of the idea in
> reverse.  The ISC would host a zone that would contain TXT records with
> security/bug advisories for every version:
> 
> $ORIGIN .
> 
> security-notice.bind	IN	SOA	ns.isc.org.	postmaster.isc.org.	1	7200	3600
604800	3600
> 
> $ORIGIN security-notice.bind.
> 
> 8.3.3			IN	TXT	"Name: BIND: Multiple Denial of Service [yadda yadda
yadda...]"
> 4.9.10			IN	TXT	"Name: LIBRESOLV: buffer overrun [yadda yadda yadda...]"
> 
> yadda yadda yadda...
> 
> Ideally the zone would be DNSSEC signed as well.
> 

don't foget to include some useful/helpful comments regarding where to
look for more info

> Then, by default, BIND would query the zone periodically (perhaps every
> 24 hours or so) for it's version.  If any records are found it would log
> a message and/or send email to root at localhost, which would be repeated
> periodically (I'd log a message every time that a check was performed,
> but I'd only email once a week).  There would be config options so that
> the clueful admin could customize/disable this behavior to his or her
> liking.

i like this idea better, and every little bit helps, but i still have
some reservations:
for the install-and-forget crowd (it is runnning right - well then why 
would i want to mess with it), i don't know that they would see the 
periodic messages, know how to act on them (although i am sure that very 
detailed instructions could be included in each email), or care to act on 
them.  unless there is a blinking icon in the 'taskbar' that they click 
on, and then magically when the machine has rebooted, they are up2date 
with everything, i have doubts that it would work for a lot of the
servers out there (besides, how will any of this prompt those whom are
currently out of date to upgrade?)

> 
> This way no one would be collecting a central database of email
> addresses, but everyone would get notified of security advisories in a
> timely manner.
> 
> Jeff
> 
> 

my $0.02

joshua


"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

• Previous message (by thread): opentrasit.net problem?
• Next message (by thread): [Re: how to get people to upgrade? (Re: The weak link? DNS)]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]