phoning home

Michael Graff mgraff at isc.org
Mon Jun 13 22:12:58 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/13/11 4:21 AM, Jim Reid wrote:

> I'm not convinced that getting BIND to phone home (when? how often?) is
> worthwhile.

There is one reason:  it is useful for ISC to know what versions of BIND
are actually in use "in the wild" when we run into a security hole or
protocol edge case.

It is very, very hard to judge the severity of security events when we
cannot even know who our customers are, or how popular an affected
release actually is.  It would be extremely useful to have a way to
insert a message indicating that a given version is out of date with
respect to current versions into logs to try to reach people.  Beyond
that, it would be good to know the population of BIND 9.4.2 (for
instance) so we know if we should also patch that, or at least worry
about it.

I'd make all version reporting anonymous, and all log messages generic.
 I have no intent of using this as a marketing back-channel.

Many software products use some form of phone home / version reporting
technology.  If this question had been asked 5 years ago we'd get a very
different answer than we did now.

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN9otqAAoJEDRzoY2A7tzbLlwH/RlkVm9uPw0NRbSWoptmTPBH
tzJgQkoBkvylXGb2ZBDta4D+WMTKsvW0V0rIC1mUKkg9Kp+Xaa1SdrPyhtG6bpXo
GEZITNnAHrCPSnjg4GRmlcMLKKJCQzIpMCVrzcmpJbTBIijvjqtV/bKaF2QOaRBw
zNDXP6UGvelgS92IxZJue32BQ1/X8VJXjNQW1J5lcr9W8BgLMm0HcEkV4D62bk3Y
aQyMkWTpHE1BI2XN9bb27fmo4E0GnXVXQ5LI5XerGmnO63JEA/El2CLJApXH+3nC
Dsknxs6OP7d9XK0GhvMaf681aXc8KqCtco97inxma0+8SL5hyRDBFujVDtrqaWs=
=rupg
-----END PGP SIGNATURE-----



More information about the bind-workers mailing list