phoning home

Paul Vixie vixie at isc.org
Mon Jun 13 21:35:19 UTC 2011


> From: Rick Jones <rick.jones2 at hp.com>
> Date: Mon, 13 Jun 2011 14:06:28 -0700
> 
> > i think bind needs something like this, but maybe it's an
> > information leak?
> 
> Does it really have to be?  If all BIND did was ask <site> "What is
> the version and date of the latest (security) update?", compared that
> with what it had internally, and said nothing about its own version in
> the query, the only thing that would leak about the version of BIND
> would be that it was asking in the first place, telling someone "It is
> no older than <foo>."  Right?

sadly, not.  we have multiple concurrent release streams.  knowing that
there is a late security related release for 9.8 does not help a 9.6
server at all and if we signal a defect on that basis we'll often be
"crying wolf" since the defect may only be in the later version.  and we
do continue to release new point releases, and patches, on older
versions.  (this is expensive for ISC but it's in the public interest.)



More information about the bind-workers mailing list