phoning home
Jim Reid
jim at rfc1035.com
Mon Jun 13 17:40:47 UTC 2011
On 13 Jun 2011, at 18:18, Paul Vixie wrote:
>> And what happens when lookups for this domain fail because they get
>> blocked at the corporate firewall or when an organisation has an
>> internal root?
>
> that would prevent this value from being added. does this argue for
> a web
> services method instead of a DNS method?
No. Well not from me anyway... Consider paranoid firewall rules that
restrict a traffic in and out of a DNS server to UDP and TCP to/from
port 53.
If phoning home is felt to be worthwhile, IMO, it should be
configurable and only use DNS transport. Maybe some config file goop
like:
security-version-check {domain-name} off|warn|stop;
The {domain-name} would be for those who repackage BIND and the
options (off as default?) do the obvious things: don't check, log a
warning, refuse to start.
BTW, another icky problem is dealing with holes in ancillary software
like an old openssl or xml library that might or might not be compiled/
linked in. Encoding this info in the QNAME could get messy very quickly.
More information about the bind-workers
mailing list