<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Paul Vixie wrote:
<blockquote cite="mid:21276.1293550975@nsa.vix.com" type="cite">
<blockquote type="cite">
<pre wrap="">Date: Tue, 28 Dec 2010 07:55:07 -0600
From: Lyle Giese <a class="moz-txt-link-rfc2396E" href="mailto:lyle@lcrcomputer.net"><lyle@lcrcomputer.net></a>
...
I started a small home based ISP operation around 2000 and installed
Bind8.something(current at the time) and discovered that I had a version
that could be crashed with a magic packet/query. ...
</pre>
</blockquote>
<pre wrap=""><!---->
i'm so sorry about that! i remember that bug. at that time my day job
was mfn/abovenet, and i remember annoying my customers there by probing our
entire address space looking for vulnerable bind8 versions... talk about
a conflict of interest, eh?
</pre>
</blockquote>
Yea, I was just starting out and had to figure out why named would just
disappear on me.<br>
<blockquote cite="mid:21276.1293550975@nsa.vix.com" type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">... That sent me down the path of learning how to monitor services and
get notified of outages(now using Nagios for this).
It also taught me to install from source and always use the latest
production code to prevent these as best I can. Now on the path to
learn DNSSEC and IPv6 (I have native IPv6 here from my upstream
provider)
</pre>
</blockquote>
<pre wrap=""><!---->
if that bind8 bug taught you all that, then some good came of it after
all. your policies as expressed above are best practices as far as i'm
concerned... BIND really ought to have a startup version check option so
that people running out of date or vulnerable versions will get
notifications from their own installed software about it.
</pre>
</blockquote>
The startup version check can be annoying(ie clamav), but how often
does named need to be restarted? I only do it here when I update the
code.<br>
<br>
Before this I worked for 'the' telephone company in their Central
Office's. Working there and studying and understanding their systems,
teaches you about redundancy and how to monitor their systems. One of
my sub-specialities was working with their alarm systems. I was
frequently picked for 'special' projects to update/fix these special
systems and would have to travel most of Northern Illinois to various
telephone offices.<br>
<blockquote cite="mid:21276.1293550975@nsa.vix.com" type="cite">
<pre wrap="">note, you and i are in the minority as far as installing from source,
most folks either depend on their OS versions for updates, or they
install from some kind of binary package manager (rpm or the local
equivilent.)
</pre>
</blockquote>
One does need to learn to be system administrator when your systems are
exposed to the Internet. It's my opinion, learning how to install from
source is an essential tool for a system administrator. It has been an
amazing journey with what I have been able to learn over the last 10
years of linux administration.<br>
<blockquote cite="mid:21276.1293550975@nsa.vix.com" type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">I am always looking to learn more about new technology in all areas that
concern my operations here, whether it be BIND, email services, Apache
or related stuff.
Lyle Giese
LCR Computer Services, Inc.
</pre>
</blockquote>
<pre wrap=""><!---->
in that case you may be interested in <a class="moz-txt-link-rfc2396E" href="http://bind10.isc.org/"><http://bind10.isc.org/></a>.
paul
</pre>
</blockquote>
<br>
I know it's on the horizon for me. But the first thing to get my head
wrapped around will be DNSSEC next year before I need to regenerate new
keys this spring...<br>
<br>
Lyle<br>
</body>
</html>