phoning home

Jim Reid jim at rfc1035.com
Mon Jun 13 17:40:47 UTC 2011


On 13 Jun 2011, at 18:18, Paul Vixie wrote:

>> And what happens when lookups for this domain fail because they get
>> blocked at the corporate firewall or when an organisation has an
>> internal root?
>
> that would prevent this value from being added.  does this argue for  
> a web
> services method instead of a DNS method?

No. Well not from me anyway... Consider paranoid firewall rules that  
restrict a traffic in and out of a DNS server to UDP and TCP to/from  
port 53.

If phoning home is felt to be worthwhile, IMO, it should be  
configurable and only use DNS transport. Maybe some config file goop  
like:
	security-version-check {domain-name} off|warn|stop;

The {domain-name} would be for those who repackage BIND and the  
options (off as default?) do the obvious things: don't check, log a  
warning, refuse to start.

BTW, another icky problem is dealing with holes in ancillary software  
like an old openssl or xml library that might or might not be compiled/ 
linked in. Encoding this info in the QNAME could get messy very quickly.





More information about the bind-workers mailing list