vixie at isc.org
Mon Jun 13 22:20:48 UTC 2011
> From: Rick Jones <rick.jones2 at hp.com>
> Date: Mon, 13 Jun 2011 15:11:49 -0700
> BIND ostensibly knows its major, minor and even fix revision right?
> Just how many major.minor releases are there? Just return the entire
> list of *latest* security related releases let BIND sort it out? I
> would think that all you need is the initial "you are behind" signal,
> and any greater "intelligence" can come from the administrator (sure,
> that may be optimistic but you said you were an optimist right?)
> Major Minor Fix (?) Date (UTC I presume)
you're right, or you should be right, and you may yet be right. it's
not always possible given our currently somewhat hairy version numbering
scheme to compute "greater than or lesser than" for two version numbers.
also, it's not necessarily the case that a vulnerability in some version
is also present in other versions whose numbers are "greater than" that
and, it's not always the case that "you are behind" is useful information.
the only thing i can be sure is of public benefit is a notification that
"you are vulnerable".
therefore my expectation has been that we'd have a specific domain name
corresponding to every version we ship, and that when that version wants
to know what its maker thinks, it will make a specific query to "there".
which is why i worry that this would be an information leak.
on the other hand...
if we digitally sign an rrset at "vulnerabilities.bind9.software.isc.org"
which is a bunch of TXT RRs of the form "9.3.4-P5" "188.8.131.52-P3" (yes,
that's two segments in one TXT payload) then they'd probably all fit in
a 512 byte response even with an RRSIG. this is worth considering, since
the querier could just do string compares, not greater/lesser compares.
More information about the bind-workers