[dns-operations] Looking for wildcard record served by a stable signed TLD nameserver

Mark Andrews marka at isc.org
Mon May 12 23:34:47 UTC 2014

In message <87k39qc36o.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Mark Andrews:
> > What's needed here is for OS maintainers to actually "maintain"
> > their OS's by including maintainence releases of the software they
> > are shipping and not just cherry-pick security fixes back into older
> > releases.  There are bugs which don't rise to the level of requiring
> > a security advisary but are still critical bugs which need to fixed.
> Common lore suggests that BIND is best compiled from source, so the
> impact of downstreams in this area is fairly limited.  Sure, you get
> the latest and greatest at the time of installation, but what happens
> after that?
> As far as I understand it, this is not about some version of BIND in
> Fedora failing, but issues at ISP resolvers, so Fedora's maintenance
> (which actually tracks upstream fairly aggressively) doesn't come into
> play.

All the OS's I am aware of issue maintenance releases.  If ISC's
fixes make it into them, then there is a chance that they will be
picked up by the end customer.  Yes there are still large numbers
of end systems that follow this maintanence path.

B.T.W.  I was not trying to single out Fedora here as I have not
checked whether they pick up the maintenance releases or just back
port security advisaries.

The behaviour of pack porting security fixes is pretty common.

Perhaps we should start calling maintenance releases "Service Packs"
as "Service Packs" seem to get installed but are essentially the
same thing.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list