RE: [NANOG] Re: Reasons why BIND isn't being upgraded
From: Joshua Goodall [mailto:joshua@roughtrade.net] Sent: Friday, February 02, 2001 12:52 AM
I can understand the annoyance felt by a large hosting provider updating BIND in an emergency and finding more than just a security fix. Pim is, I guess, concerned that similar updates in future may have longer MTTR impact. Pete Elke's point about preproduction testing could perhaps be turned from a combative tone to the constructive without loss of information.
Isn't that why NSI is running a stealth master root server ... so they _are able_ to do pre-production testing of zone files? In the past few years, there were a lot of root server outages that would have been prevented by that practice.
On Fri, 2 Feb 2001, Roeland Meyer wrote:
Pete Elke's point about preproduction testing could perhaps be turned from a combative tone to the constructive without loss of information.
Isn't that why NSI is running a stealth master root server ... so they _are able_ to do pre-production testing of zone files? In the past few years, there were a lot of root server outages that would have been prevented by that practice.
To be honest, yes it wuold've saved me some extra frustration if I had known there would be such issues. Yes, a test situation is ideal to get these changes figured out. I just counted on it to be a trivial upgrade and it wasn't. Perhaps, in the interest of Internet Security, it would not be a bad idea if ISC or someone else were to come with an 8.2.2-P8 to address _just_ the security issues to lower the barrier-of-entry to a secure version of bind8. Security fixes are very urgent on my list, I didn't want to lose any time getting it out of ther door. That's what bit me and now I know that the next time there's a Panic about vulnerabilities in BIND, being vulnerable for an extra hour while testing out the patches off-site on a test system may be worth the risk. Cheers, Pi
participants (2)
-
Pim van Riezen
-
Roeland Meyer