johani at autonomica.se
Mon Jun 13 08:45:25 UTC 2011
On Jun 12, 2011, at 21:54 , Hauke Lampe wrote:
> On 12.06.2011 20:40, Paul Vixie wrote:
>> this is slightly tamer than what i'm going to propose for BIND. i want to
>> be able to send a specific message saying "CERT VU# xyz" if someone is running
>> a known-vulnerable version. DNSSEC now makes this practical. but it would
>> be an information leak, since the version number would be part of the QNAME.
> How about a zone listing vulnerabilities, linked by NSEC?
> named could traverse the list and ignore bugs that it knows have been
> fixed. That would also decouple the list of bugs from a specific version
> number and allow distributors to backport patches into older versions.
I like that, I think. In particular I think it is neat to utilize the NSEC chaining along an unknown set of names as a feature. But in the interest of avoiding an open-ended constantly growing list I think listing the most important issue for each version would be sufficient.
If for some reason the server is unable to chain through the NSECs due to intervening middleware or whatnot then that may be the cause of another warning all by itself.
More information about the bind-workers