[dns-operations] online version checks (was: re: New subscribers)

Paul Vixie vixie at isc.org
Wed Dec 29 16:44:40 UTC 2010

there are two replies here.


> Date: Wed, 29 Dec 2010 09:50:20 -0500
> From: Andrew Sullivan <ajs at shinkuro.com>
> > if there's a CVE for a some version, does everybody "need to upgrade"?
> Surely not.  A CVE could be on a feature you have disabled.  For
> instance, if the CVE is due to remote root, but the box you're looking
> at is a distribution master that never gets queries from the outside,
> it might be more prudent to wait than it is to upgrade (because, for
> instance, there are other priorities).

since i'm talking about a once-a-day syslog and not refuse-to-startup or
automatic-download, i must be missing the importance of your distinction.
just because someone has a feature disabled the day a CVE comes out does
not mean that their successors or associates won't turn it on later.  as
an implementor i'd like to be sure that i've done all i can to make my
users safe.  do i need to differentiate CVE vs. simple updates other than
in the text of the once-a-day syslog messages i'd like to generate?

> This is one reason why packages from your OS supplier are supposed to
> be an advantage.  If you use Debian or its derivatives, for instance,
> you can put just the security feed in your apt.sources list, and then
> keep on top of that.  That's one place to manage all the urgent
> upgrades for your system, rather than having every daemon on the
> system have its own way of alerting you to these things.

alas, not every distro of every OS follows debian's most excellent example.
still, you point out an interesting opportunity to make this phone home
stuff pluggable so that it can integrate with other package management
and early warning systems that may be running in the same environment.


> From: "Roosenraad, Chris" <chris.roosenraad at twcable.com>
> Date: Wed, 29 Dec 2010 10:31:01 -0500
> >> 2)  "need to upgrade" will have a different meaning to different people.
> >
> >if there's a CVE for a some version, does everybody "need to upgrade"?
> >(i see your point that the mere existence of a later version on the same
> >release, like you're running 9.17.4 and 9.17.5 comes out) might be of
> >varying interest, but if there's a CVE, can we presume universal
> >interest?)
> I think its reasonable to give it a bit more "oomph" when there is a CVE,
> yes.  Log line of "there is an update available, please check <URL> for
> more details" for most changes, and then for a CVE say "there is a
> critical security update available, please check <URL> as soon as possible
> for more details".

this makes sense.  as bert pointed out, the logical way to do this is with
a dns query, like version.bind.software.isc.org or similar.  most likely
the resulting text record would have some machine readable parts (like the
number) and some human readable parts (for logging).  but this is really
getting far afield from dns operations and is not likely to be a multi
vendor standard -- so, if lots of dns implementors all have this, and every
one of them does it differently and incompatibly, nobody will care.  that
means i should stop doing feature research here and move it to bind-users at .

> >would one version check per day be too often?
> Are you thinking something that will run regularly, as opposed to
> something that runs at program start?

yes, since most name servers only restart every year or two, and there's a
high probability of new versions being available more often than that.


More information about the dns-operations mailing list