[dns-operations] online version checks

Florian Weimer fweimer at bfk.de
Fri Dec 31 12:19:12 UTC 2010


* Joe Greco:

> Some of us already automate checking versions of DNS servers in our
> network monitoring systems, but finding out when you really need to
> upgrade vs a minor feature update is still a bit of an art form; as
> Paul said, most DNS servers only get restarted very infrequently, and
> I do not get paid to run around upgrading nameservers just because
> someone added a new feature we don't use/need anyways.

For a growing number of people, running outdated code is a compliance
issue.  This is particularly true if a scanner vendor decides to infer
a vulnerability based on some form of probing.

> I'd *like* to be able to have better ways to monitor nameservers, but
> some of what would be most useful really requires support in the code
> itself, or from ISC.

It's a bit difficult to put things in the code itself without getting
guaranteed conflicts when applying patches.  ($Id$ and stuff like that
have this problem.)  A directory containing patch marker files might
work, though.  But then you're clearly beyond a single,
mostly-sequential version number.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the dns-operations mailing list