phoning home

Rick Jones rick.jones2 at hp.com
Mon Jun 13 22:11:49 UTC 2011 

On Mon, 2011-06-13 at 21:35 +0000, Paul Vixie wrote:
> > From: Rick Jones <rick.jones2 at hp.com>
> > Date: Mon, 13 Jun 2011 14:06:28 -0700
> > 
> > > i think bind needs something like this, but maybe it's an
> > > information leak?
> > 
> > Does it really have to be?  If all BIND did was ask <site> "What is
> > the version and date of the latest (security) update?", compared that
> > with what it had internally, and said nothing about its own version in
> > the query, the only thing that would leak about the version of BIND
> > would be that it was asking in the first place, telling someone "It is
> > no older than <foo>."  Right?
> 
> sadly, not.  we have multiple concurrent release streams.  knowing that
> there is a late security related release for 9.8 does not help a 9.6
> server at all and if we signal a defect on that basis we'll often be
> "crying wolf" since the defect may only be in the later version.  and we
> do continue to release new point releases, and patches, on older
> versions.  (this is expensive for ISC but it's in the public interest.)

BIND ostensibly knows its major, minor and even fix revision right?
Just how many major.minor releases are there? Just return the entire
list of *latest* security related releases let BIND sort it out?  I
would think that all you need is the  initial "you are behind" signal,
and any greater "intelligence" can come from the administrator (sure,
that may be optimistic but you said you were an optimist right?)

Major  Minor  Fix (?)  Date (UTC I presume)

would seem to be what BIND needs to know, to compare against itself.  I
would think you could fit quite a few of those in a single reply?  Even
if it is all ASCII, four characters for Major and Minor, four or eight
characters for Fix if that needs to be in the list, and then something
like "2011-06-13:12:11:10.09" or 22 characters for the Date and you are
at 30 or 38 characters per "entry"  Heck, pad it out to 64 characters
and you should still be able to fit several in a (EDNS) reply no?  And
even if it does have to fall back to TCP, this is sufficiently rare even
at once an hour that the overhead of establishing a TCP connection to
port 53 would seem to be very much a don't care.

rick jones

More information about the bind-workers mailing list