phoning home

Jim Reid jim at rfc1035.com
Mon Jun 13 09:21:41 UTC 2011 

On 12 Jun 2011, at 20:54, Hauke Lampe wrote:

>> this is slightly tamer than what i'm going to propose for BIND.  i  
>> want to
>> be able to send a specific message saying "CERT VU# xyz" if someone  
>> is running
>> a known-vulnerable version.  DNSSEC now makes this practical.  but  
>> it would
>> be an information leak, since the version number would be part of  
>> the QNAME.

Well maybe. But who says the QNAME must be related to the BIND version  
that issues this lookup?

> How about a zone listing vulnerabilities, linked by NSEC?

This is a Stunningly Bad Idea. DNS RDATA is not a good place to  
implement linked lists, even though NSEC provides that capability as a  
side-effect. What is the client expected to do while this "find if  
I've got any security bugs" quest was under way?
How many NSECs would an implementation have to traverse before it gave  
up or decided it didn't have a security hole?


I'm not convinced that getting BIND to phone home (when? how often?)  
is worthwhile.

First the people who need to do something about old, buggy versions  
will not see these warnings or do anything about them. They won't be  
checking their logs. Or know how to switch on this bugfix check. [It  
would be configurable, right?] These guys already don't visit the ISC  
web site for info about vulnerabilities or read any of the lists where  
announcements get made about a security problem. Expecting them to  
read and act on a message in the name server logs seems optimistic and/ 
or naive. Unless the server refuses to run until it gets upgraded.  
Which introduces another set of nasties...

Next, what's to be done about vendors who fold their own tweaks into  
the code? Or mangle the version info to match their own release  
conventions? Think $LinuxDistro BIND version foo which is actually  
BIND x.y.z with (some of) the BIND x.y.z security patches applied.

Maintaining the DNS infrastructure for security-holes.bind.isc.org (or  
whatever) will be a problem. This is probably not a big deal, though  
the long-term consequences could be unpleasant: ISC would be committed  
to sustaining this domain forever.

And what happens when lookups for this domain fail because they get  
blocked at the corporate firewall or when an organisation has an  
internal root?

More information about the bind-workers mailing list