North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: how to get people to upgrade? (Re: The weak link? DNS)

  • From: E.B. Dreger
  • Date: Wed Mar 26 13:21:25 2003

JL> Date: Wed, 26 Mar 2003 13:00:57 -0500 (EST)
JL> From: Jon Lewis


JL> How hard would it be to have bind do some sort of secure.bind.isc.org
JL> query at start-up or perhaps even periodically and have it log lots of
JL> warnings or refuse to run if the query comes back and tells it the local
JL> version has been deferred due to security updates?  One obvious problem

Not hard.  Again, I'm in favor of refusing to run... I've
encountered waaay too many "I click <OK> and it works" people.


JL> with this would be that certain vendors prefer to backport security fixes
JL> to older versions rather than test and release new versions...so an

If they're backporting, they can add their own checks.  If they
break the version checking, then they become the vendor with the
broken software.


JL> insecure-looking version string may actually have had fixes applied.
JL> Perhaps the query could be for a timestamp that's defined in the source
JL> with the assumption that any code older than the most recent security
JL> update must be insecure.

This would make a good second/additional/whatever check.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <[email protected]>
To: [email protected]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <[email protected]>, or you are likely to
be blocked.