RE: [NANOG] Re: Reasons why BIND isn't being upgraded

From: Joshua Goodall []
Sent: Friday, February 02, 2001 12:52 AM

I can understand the annoyance felt by a large hosting
provider updating
BIND in an emergency and finding more than just a security
fix. Pim is, I
guess, concerned that similar updates in future may have longer MTTR
impact. Pete Elke's point about preproduction testing could
perhaps be
turned from a combative tone to the constructive without loss of

Isn't that why NSI is running a stealth master root server ... so they _are
able_ to do pre-production testing of zone files? In the past few years,
there were a lot of root server outages that would have been prevented by
that practice.

To be honest, yes it wuold've saved me some extra frustration if I had
known there would be such issues. Yes, a test situation is ideal to get
these changes figured out. I just counted on it to be a trivial upgrade
and it wasn't. Perhaps, in the interest of Internet Security, it would not
be a bad idea if ISC or someone else were to come with an 8.2.2-P8 to
address _just_ the security issues to lower the barrier-of-entry to a
secure version of bind8.

Security fixes are very urgent on my list, I didn't want to lose any time
getting it out of ther door. That's what bit me and now I know that the
next time there's a Panic about vulnerabilities in BIND, being vulnerable
for an extra hour while testing out the patches off-site on a test system
may be worth the risk.