[34265] in North American Network Operators' Group
Re: Reasons why BIND isn't being upgraded
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Feb 1 21:09:46 2001
To: nanog@merit.edu
From: Paul Vixie <vixie@mfnx.net>
Date: 01 Feb 2001 18:07:44 -0800
In-Reply-To: Simon@wretched.demon.co.uk's message of "1 Feb 2001 17:11:01 -0800"
Message-ID: <g34rydzvkf.fsf@redpaul.mfnx.net>
Errors-To: owner-nanog-outgoing@merit.edu
Simon@wretched.demon.co.uk (Simon Waters) writes:
> The ISC.ORG web site recommends leaving the BIND version string
> unchanged to assist in troubleshooting.
>
> I remain unconvinced that showing the version string helps much.
it helped you with your survey, didn't it?
hiding it doesn't help at all. people who want to know if you're vulnerable
and to what have tools to find out.
hiding it DOES however make it harder for people (including network owners)
to do surveys.
until, that is, somebody breaks into a server using some published hole and
then modifies the version string so the admin's periodic audit won't show it
as needing to be upgraded. so -- don't believe it if it says you're safe,
use indications of unsafety as reasons to prioritize those servers for a
closer audit.
