[dns-operations] online version checks for fun and profit

Jim Reid jim at rfc1035.com
Wed Dec 29 20:59:11 UTC 2010


Although this seems like a good idea it gets very ugly rather quickly.  
I doubt its deployment would add anything worthwhile. Presumably a DNS  
server wouldn't do anything more than scream in its logs whenever it  
detected a new version of itself. The DNS admins who are already  
failing to upgrade to the current DNS code won't be looking at those  
DNS/system logs anyway. Or know what to do if they did check them.  
There will also be DNS software in embedded systems that can't easily  
be upgraded in the field. What's the point of CPE whining it has an  
out of date version of BIND (say) if that can't be replaced until the  
vendor ships a new firmware image?

Then we must consider what to do when lookups of (say)  
version.bind.software.isc.org fail in some way. Suppose the name  
servers for that domain break. Or if they're unreachable because the  
server doing the lookup is inside a walled garden which has its own  
name space or is on some Bonjour-style ad-hoc network. What if the  
domain name changes because the software gets rebranded? Who'll keep a  
domain name alive for its installed base after DNSCo goes bust? And  
for how long?

I'm very uncomfortable at the suggestions that these checks could be  
made several times a day or even be configurable. [Updated versions  
don't ship *that* often, do they?] That opens up interesting vectors  
for DDoS attacks. As a for instance, consider rogue behaviour by  
bazillions of DSL/cable modems or smart phones. I'm sure ISC would  
have the iron to cope with that but other DNS vendors could well  
struggle. Unless the domain name for checking for updates was anchored  
under .arpa somehow and the world's DNS vendors were able to leech off  
that infrastructure.



More information about the dns-operations mailing list