[34338] in North American Network Operators' Group
Re: Reasons why BIND isn't being upgraded
daemon@ATHENA.MIT.EDU (Adam Rothschild)
Sat Feb 3 16:22:19 2001
Date: Sat, 3 Feb 2001 16:19:54 -0500
From: Adam Rothschild <asr@latency.net>
To: Paul A Vixie <vixie@mfnx.net>
Cc: nanog@merit.edu
Message-ID: <20010203161954.A21834@og.latency.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200102032051.MAA28719@redpaul.mfnx.net>; from vixie@mfnx.net on Sat, Feb 03, 2001 at 12:51:53PM -0800
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Feb 03, 2001 at 12:51:53PM -0800, Paul A Vixie wrote:
> > Will the ISC implement similar policies with its INN and DHCP software
> > in the foreseeable future, or is this something unique to BIND?
>
> I don't see INN or DHCP as critical to the internet's infrastructure, so, no.
So, the more critical to the Internet's infrastructure software is,
the more difficult it should be for non-"privledged" people to be made
aware of key security announcements/patches in a timely manner?
Why not just notify everyone at once? That way, when vulnerabilities
are discovered, people can take whatever action they deem appropriate
to protect their infrastructure (write/release their own set of BIND
patches? upgrade to djbdns? decide DNS is too daunting to manage
in-house, and outsource to Nominum or UltraDNS instead?), rather than
remain vulnerable, pending an official announcement from the
appropriate sources.
-adam
