[dns-operations] online version checks
wllarso
wllarso at swcp.com
Mon Jan 3 23:30:20 UTC 2011
On Mon, 03 Jan 2011 14:48:48 -0600, Michael Graff wrote:
> On 12/31/10 6:54 AM, Joe Greco wrote:
>> If we're discussing wishful thinking, it'd be nice to have a
>> queryable
>> flag in the nameserver, maybe alongside the VERSION.BIND stuff.
>>
>> UPGRADE.BIND -> available, required
>>
>> This doesn't work, however, for nameservers that don't have access
>> to
>> the public Internet. For those cases, it'd be more practical to
>> have
>> a way for a network monitoring system to discover whether or not a
>> given version of BIND needed to be updated.
>
> A little of both seems good. I really like the UPGRADE.BIND query,
> and
> will have to see about getting that in the works.
>
> I don't think we would make this sort of system tricky to implement
> in
> an external monitoring system. If that system knew the versions, and
> it
> could query the public internet, then it could easily find the same
> data
> and match the items up.
I don't think that this will be as simple as people as saying.
Think about the logic required here. When querying for some zone, such
as "VERSION.BIND", is a simple DNS query returning one TXT record of
information. Querying for "UPGRADE.BIND" and expecting to have it
return something saying you are out of date will also require sending
information as to what version you are currently running. This is a
major change to the functional logic of BIND. No more simply providing
an answer to a DNS query.
Now, having some server providing an answer for "CURRENT.BIND" which
provides the current production version of BIND may be useful. But,
since there are three or four different versions of BIND from ISC that
could be considered "current", which version to return may be
problematic. Then when you add on the possible BIND versions shipped,
and supported, by a software vendor, this becomes even more complex.
Checking the current release version of BIND really won't be too
difficult, assuming there is a CHAOS/TXT string to return for
"CURRENT.BIND" from some master server(s). Don't try to add this
"you're out of date" functionality to BIND itself but use the startup
script to check for the current version and compare it to what is
currently running and then report any mismatch between the two.
Don't take a sledge hammer approach to this issue. With DNSSEC, BIND
is getting pretty complex as is. If you want this functionality version
checking, fine, but don't make BIND (and BIND developers) itself pay for
the added work. A very simply DNS query performed by "dig" can give you
the answer you need.
Bill Larson
More information about the dns-operations
mailing list