email@example.com (Sean Donelan) writes:
What even stranger about the Iraqi state provider Uruklink.net is the DNS
servers are now self-identifying with earlier (with known bugs) versions
of BIND. Last week the Uruklink name server 18.104.22.168 was running
8.2.2-P5, but now is running 8.1.2. ...
at http://www.isc.org/products/BIND/bind-security.html we see:
Name: "BIND: Remote Execution of Code"
Versions affected: BIND 4.9.5 to 4.9.10
BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3
Type: Possibility to execute arbitrary code.
When constructing a response containing SIG records a incorrect
space allows a write buffer overflow. It is then possible to
execute code with the privileges of named.
the list goes on. i'm sure several folks will use this as an opportunity to
hawk their own alternative non-BIND DNS solution, i wish you well except plz
change the Subject: header on your reply since what i really want to talk
about is: how to get people to upgrade their software when defects are found.
sending out announcements through CERT and the bind-announce m/l isn't working.
so here's a proposal. we (speaking for ISC here) could add a config option
(default to OFF) to make bind send some kind of registration packet at boot
time, containing an e-mail address for a technical contact for that server,
and perhaps its hostname as well. the destination would be configurable, and
the format would be open, and we would include in the distribution a tool
capable of catching these. any campus/WAN admin who wanted to run their own
"BIND registration system" could do so. anyone who wanted to simply config
their server to send registration data to ISC could do so. for data received
at ISC, we'd (a) keep it completely private other than public statistics,
(b) clean it of obvious trash (some people will sent registration data for
firstname.lastname@example.org just for fun; we know that), and (c) use the contact
information only in the event that a security defect discovered in that
version. remember, the default would be OFF.
given such a feature, whose default was OFF, would anyone here who uses
BIND stop using it out of protest? if so plz answer publically (on nanog).
given such a feature, would anyone here create their own registration system
so they had their own database of local BIND instances on their campus/WAN,
or would anyone here config their servers to send registration data to ISC?
if so plz answer privately (i'll summarize to the list.)