DNS version

[Bill Manning]

% Non-disclosure of the version number may make it harder to craft
% a vulnerability or otherwise slow an attacker down. Sure he can
% try all attacks against all possible versions - but unless each
% such attack has a zero cost to the attacker you have moved the
% barrier up - no matter how imperceptably.
% 
% The mistake is to muddle "secret" (i.e. something which if
% disclosed compromises the integrity of the system) with
% information that is not voluntarily given.
% 
% Then again I could be wrong.
% -----BEGIN PGP SIGNATURE-----

	right/wrong?  depends in some degree on who is asking the question.
	the presumption that all version requests are from attackers is
	false.

	version identification does help track code diffusion, which can
	be useful in determining the overall health of the system.
	
	I've been running version checks on the system since 1997 as a 
	means to guage the difficulties of deployment of new DNS features.
	Hiding the version makes the audits run slower, but doesn't stop
	them.  In your parlance, this raises the barrier, in practice, you 
	can't raise the barrier high enough, unless you disconnect the 
	server from the net.

	remember, the DNS is a public database. if it can be queried
	it will be.   If your that paranoid, retreating into your
	walled garden might be the best thing. 


--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).