Weekly Edition
Return to the Front page
| |||||||||||||
|
| |||||||||||||
The BIND Forum and the maintenance of critical software
Spurred on, perhaps, by the latest set of BIND vulnerabilities (and the
problematic handling of those vulnerabilities), the Internet Software
Consortium has announced
the startup of the "BIND Forum," with AFNIC, APNIC, ARIN, Compaq,
Ericsson, HP, IBM, RIPE, Sun, and VeriSign as initial members. Many in the
free software community are suspicious of the Forum and its motives. The
Forum is worth a look, however, as one way of managing development and
support for a piece of critical network software.
BIND, of course, is the package that implements most of the domain name system. The BIND Forum is a relatively old (and controversial) idea - it was first announced back in January, 2001. The basic idea was that members, in exchange for helping to fund BIND development, would gain access to the BIND developers and, crucially, early access to security updates. The idea of restricting security information (about free software) to those who have paid a fee did not prove popular in the community. As a result of criticism, and, presumably, lack of interest, the Forum idea stalled for almost two years. Now, however, it is back. Corporate memberships in the Forum cost $5000 per year - unless you have over $2 billion in revenue, in which case you pay $50,000. Universities and nonprofit organizations are asked to pay $1000, and individual memberships have a "target minimum" fee of $100. For these fees, members get:
All of this requires signing a relatively lengthy contract (available from the ISC site), along with an "intellectual property policy statement" which, essentially, seems to be a restatement of the BIND license. Those benefits may well be useful to a small number of companies that are deeply concerned with BIND development. What the Forum really has to offer, though, is early access to security alerts. That access is not available to standard Forum members, though; getting the security information requires signing a separate agreement and tacking an addition 20% onto the membership fees. The agreement states that ISC will notify members of security problems "up to ten days" before telling the world by way of CERT. Members are required to keep this information confidential, however, and must guard it "using authentication and encryption tools which have been approved in writing by ISC." So, if you pay enough, you'll get early warning of security problems, but only if ISC feels like sending it out. Of course, the last vulnerability was not disclosed through ISC, so Forum membership would not have been all that useful that time around. The Forum appears, to many, to be a way of extracting money from BIND users by restricting access to vital security information. Some see it as a violation of the ethics of full disclosure and free access to the software. This may all be true, but it is worth keeping some things in mind:
If the BIND Forum idea is implemented well, it could support the future development of the software and help make it more secure for all users. If implemented poorly, it could become an insiders club that ends up restricting the general availability of security information indefinitely. The "up to ten days" provision in the security notification agreement is encouraging in this respect: there is an implicit promise that security information will be restricted to the Forum for no longer than that period. Whether the BIND Forum will be a success and be helpful to all BIND users remains to be seen. It could well go either way. But, as people and companies continue to look around for viable ways of funding free software development, it would not be surprising to see the creation of more organizations like the BIND Forum in the future. (Log in to post comments)
Pay to hack? Posted Nov 27, 2002 18:23 UTC (Wed) by ranger (guest, #6415) [Link] The concern here however, is that ISC may now be making vulnerability information available to people who may not have software security in mind, but rather have joined (would $120 get it?) the forum as indivuduals in order to have free reign on all BIND servers in maintained by people who have not paid the extortion fees for a period of up to 10 days (or possibly more?).Does the ISC claim that they will be able to vet all individual members sufficiently to prevent this? I know of people who suspected BIND exploits more than a week before the vulnerability was announced, which makes this possibility more feasible. In essence, the ISC is holding the world to ransom, and I suspect many people won't like that. A few big corporate accounts may be enough to maintain better, alternative DNS software, and the ISC will find itself obsolete and vulnerable.
The BIND Forum and the maintenance of critical software Posted Nov 28, 2002 9:03 UTC (Thu) by beejaybee (guest, #1581) [Link] If this makes a "true open source" alternative to BIND more of a realistic proposition, then everyone will gain in the end. (Yes, I'm aware that there are alternatives now - but none have critical mass). The point here is that the Internet really needs multiple implementations of protocols critical to its infrastructure; at present a serious flaw discovered in BIND could effectively destroy the whole network infrastructure. Widespread deployment of alternative implementations would give the network at least some capability to keep running whilst a problem was fixed.So I'm sort of positive to the BIND Forum, though I'm opposed to the idea of spinning off "elite" groups based mainly on funding by major corporations.
The BIND Forum and the maintenance of critical software Posted Dec 5, 2002 20:21 UTC (Thu) by and (subscriber, #2883) [Link] luckily there's djbdns!
The BIND Forum and the maintenance of critical software Posted Dec 13, 2002 23:53 UTC (Fri) by rickmoen (subscriber, #6943) [Link] Luckily, there are open-source alternatives to BIND (in addition to the proprietary djbdns and PowerDNS ones):MaraDNS is a general-purpose, fast DNS server package (doing recursive, authoritative, and caching roles, plus fully supporting zone transfers): http://www.maradns.org/ pdnsd is a small caching-only DNS server with a disk-based cache, suitable for small networks and workstations: http://home.t-online.de/home/Moestl/ Dnsmasq is a small authoritative and caching DNS server for a group of NATted / IPmasqued machines (optionally pulling names from DHCP leases): http://www.thekelleys.org.uk/dnsmasq/ DNRD is a small caching-only DNS server for NAT / IPmasq networks: http://dnrd.nevalabs.org/ MyDNS is a MySQL-based authoritative and caching server (no recursive service) suitable for very large sites. In such roles, it's faster and more responsive than BIND9, even though the latter uses a RAM-based cache: http://mydns.bboy.net/ ldapdns implements the same idea, except out of an LDAP database. Again, much faster than BIND9: http://nimh.org/code/ldapdns/ GnuDIP is an authoritative server for Dynamic DNS: http://gnudip2.sourceforge.net/gnudip-www/ NSD is a high-performance authoritative-only daemon: http://www.nlnetlabs.nl/nsd/ CustomDNS is a authoritative-only daemon for both static addresses and its variant form of dynamic DNS: http://customdns.sourceforge.net/ lbnamed is a similar authoritative-only daemon for static and dynamic information, with a load-balancing multi-machine architecture: http://www.stanford.edu/~riepel/lbnamed/ Posadis is another fast authoritative-only daemon: http://posadis.sourceforge.net/ dents is another general-purpose DNS server, but is perenially unfinished: http://sourceforge.net/projects/dents/ Pliant DNS Server is another general-purpose DNS server, although it may not support zone transfers: http://pliant.cx/pliant/protocol/dns/ Yaku-NS is another small, fast general-purpose DNS server: http://www.kyuzz.org/antirez/ens.html Rick Moen
|
|
||||||||||||