[dns-operations] New subscribers
Lyle Giese
lyle at lcrcomputer.net
Tue Dec 28 16:02:41 UTC 2010
Paul Vixie wrote:
>> Date: Tue, 28 Dec 2010 07:55:07 -0600
>> From: Lyle Giese <lyle at lcrcomputer.net>
>> ...
>> I started a small home based ISP operation around 2000 and installed
>> Bind8.something(current at the time) and discovered that I had a version
>> that could be crashed with a magic packet/query. ...
>>
>
> i'm so sorry about that! i remember that bug. at that time my day job
> was mfn/abovenet, and i remember annoying my customers there by probing our
> entire address space looking for vulnerable bind8 versions... talk about
> a conflict of interest, eh?
>
>
Yea, I was just starting out and had to figure out why named would just
disappear on me.
>> ... That sent me down the path of learning how to monitor services and
>> get notified of outages(now using Nagios for this).
>>
>> It also taught me to install from source and always use the latest
>> production code to prevent these as best I can. Now on the path to
>> learn DNSSEC and IPv6 (I have native IPv6 here from my upstream
>> provider)
>>
>
> if that bind8 bug taught you all that, then some good came of it after
> all. your policies as expressed above are best practices as far as i'm
> concerned... BIND really ought to have a startup version check option so
> that people running out of date or vulnerable versions will get
> notifications from their own installed software about it.
>
>
The startup version check can be annoying(ie clamav), but how often does
named need to be restarted? I only do it here when I update the code.
Before this I worked for 'the' telephone company in their Central
Office's. Working there and studying and understanding their systems,
teaches you about redundancy and how to monitor their systems. One of
my sub-specialities was working with their alarm systems. I was
frequently picked for 'special' projects to update/fix these special
systems and would have to travel most of Northern Illinois to various
telephone offices.
> note, you and i are in the minority as far as installing from source,
> most folks either depend on their OS versions for updates, or they
> install from some kind of binary package manager (rpm or the local
> equivilent.)
>
>
One does need to learn to be system administrator when your systems are
exposed to the Internet. It's my opinion, learning how to install from
source is an essential tool for a system administrator. It has been an
amazing journey with what I have been able to learn over the last 10
years of linux administration.
>> I am always looking to learn more about new technology in all areas that
>> concern my operations here, whether it be BIND, email services, Apache
>> or related stuff.
>>
>> Lyle Giese
>> LCR Computer Services, Inc.
>>
>
> in that case you may be interested in <http://bind10.isc.org/>.
>
> paul
>
I know it's on the horizon for me. But the first thing to get my head
wrapped around will be DNSSEC next year before I need to regenerate new
keys this spring...
Lyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20101228/98d58501/attachment.html>
More information about the dns-operations
mailing list