phoning home
Jim Reid
jim at rfc1035.com
Mon Jun 13 09:21:41 UTC 2011
On 12 Jun 2011, at 20:54, Hauke Lampe wrote:
>> this is slightly tamer than what i'm going to propose for BIND. i
>> want to
>> be able to send a specific message saying "CERT VU# xyz" if someone
>> is running
>> a known-vulnerable version. DNSSEC now makes this practical. but
>> it would
>> be an information leak, since the version number would be part of
>> the QNAME.
Well maybe. But who says the QNAME must be related to the BIND version
that issues this lookup?
> How about a zone listing vulnerabilities, linked by NSEC?
This is a Stunningly Bad Idea. DNS RDATA is not a good place to
implement linked lists, even though NSEC provides that capability as a
side-effect. What is the client expected to do while this "find if
I've got any security bugs" quest was under way?
How many NSECs would an implementation have to traverse before it gave
up or decided it didn't have a security hole?
I'm not convinced that getting BIND to phone home (when? how often?)
is worthwhile.
First the people who need to do something about old, buggy versions
will not see these warnings or do anything about them. They won't be
checking their logs. Or know how to switch on this bugfix check. [It
would be configurable, right?] These guys already don't visit the ISC
web site for info about vulnerabilities or read any of the lists where
announcements get made about a security problem. Expecting them to
read and act on a message in the name server logs seems optimistic and/
or naive. Unless the server refuses to run until it gets upgraded.
Which introduces another set of nasties...
Next, what's to be done about vendors who fold their own tweaks into
the code? Or mangle the version info to match their own release
conventions? Think $LinuxDistro BIND version foo which is actually
BIND x.y.z with (some of) the BIND x.y.z security patches applied.
Maintaining the DNS infrastructure for security-holes.bind.isc.org (or
whatever) will be a problem. This is probably not a big deal, though
the long-term consequences could be unpleasant: ISC would be committed
to sustaining this domain forever.
And what happens when lookups for this domain fail because they get
blocked at the corporate firewall or when an organisation has an
internal root?
More information about the bind-workers
mailing list