[dns-operations] online version checks for fun and profit
jim at rfc1035.com
Wed Dec 29 20:59:11 UTC 2010
Although this seems like a good idea it gets very ugly rather quickly.
I doubt its deployment would add anything worthwhile. Presumably a DNS
server wouldn't do anything more than scream in its logs whenever it
detected a new version of itself. The DNS admins who are already
failing to upgrade to the current DNS code won't be looking at those
DNS/system logs anyway. Or know what to do if they did check them.
There will also be DNS software in embedded systems that can't easily
be upgraded in the field. What's the point of CPE whining it has an
out of date version of BIND (say) if that can't be replaced until the
vendor ships a new firmware image?
Then we must consider what to do when lookups of (say)
version.bind.software.isc.org fail in some way. Suppose the name
servers for that domain break. Or if they're unreachable because the
server doing the lookup is inside a walled garden which has its own
name space or is on some Bonjour-style ad-hoc network. What if the
domain name changes because the software gets rebranded? Who'll keep a
domain name alive for its installed base after DNSCo goes bust? And
for how long?
I'm very uncomfortable at the suggestions that these checks could be
made several times a day or even be configurable. [Updated versions
don't ship *that* often, do they?] That opens up interesting vectors
for DDoS attacks. As a for instance, consider rogue behaviour by
bazillions of DSL/cable modems or smart phones. I'm sure ISC would
have the iron to cope with that but other DNS vendors could well
struggle. Unless the domain name for checking for updates was anchored
under .arpa somehow and the world's DNS vendors were able to leech off
More information about the dns-operations