[dns-operations] online version checks

wllarso wllarso at swcp.com
Mon Jan 3 23:30:20 UTC 2011 

 On Mon, 03 Jan 2011 14:48:48 -0600, Michael Graff wrote:
> On 12/31/10 6:54 AM, Joe Greco wrote:
>> If we're discussing wishful thinking, it'd be nice to have a 
>> queryable
>> flag in the nameserver, maybe alongside the VERSION.BIND stuff.
>>
>> UPGRADE.BIND -> available, required
>>
>> This doesn't work, however, for nameservers that don't have access 
>> to
>> the public Internet.  For those cases, it'd be more practical to 
>> have
>> a way for a network monitoring system to discover whether or not a
>> given version of BIND needed to be updated.
>
> A little of both seems good.  I really like the UPGRADE.BIND query, 
> and
> will have to see about getting that in the works.
>
> I don't think we would make this sort of system tricky to implement 
> in
> an external monitoring system.  If that system knew the versions, and 
> it
> could query the public internet, then it could easily find the same 
> data
> and match the items up.

 I don't think that this will be as simple as people as saying.

 Think about the logic required here.  When querying for some zone, such 
 as "VERSION.BIND", is a simple DNS query returning one TXT record of 
 information.  Querying for "UPGRADE.BIND" and expecting to have it 
 return something saying you are out of date will also require sending 
 information as to what version you are currently running.  This is a 
 major change to the functional logic of BIND.  No more simply providing 
 an answer to a DNS query.

 Now, having some server providing an answer for "CURRENT.BIND" which 
 provides the current production version of BIND may be useful.  But, 
 since there are three or four different versions of BIND from ISC that 
 could be considered "current", which version to return may be 
 problematic.  Then when you add on the possible BIND versions shipped, 
 and supported, by a software vendor, this becomes even more complex.

 Checking the current release version of BIND really won't be too 
 difficult, assuming there is a CHAOS/TXT string to return for 
 "CURRENT.BIND" from some master server(s).  Don't try to add this 
 "you're out of date" functionality to BIND itself but use the startup 
 script to check for the current version and compare it to what is 
 currently running and then report any mismatch between the two.

 Don't take a sledge hammer approach to this issue.  With DNSSEC, BIND 
 is getting pretty complex as is.  If you want this functionality version 
 checking, fine, but don't make BIND (and BIND developers) itself pay for 
 the added work.  A very simply DNS query performed by "dig" can give you 
 the answer you need.

 Bill Larson

More information about the dns-operations mailing list