Hola all,

Interviewed Paul Vixie to clear some things up, and asked several people about
this (some vendors/etc.), the responses are interesting to say the least.

By Kurt Seifried (seifriedsecurityportal.com) for www.SecurityPortal.com

February 01, 2001 - ISC's Bind has become the de facto standard for running name
servers, from the heavily used root server all the way to single-user Unix
workstations. This has resulted in a monoculture: outside of some
Microsoft-based networks, virtually all name servers run Bind.

The security problems in Bind are numerous, with root hacks and denial of
service attacks being found over the years. The ISC Bind security page lists
twelve "official" security holes in various versions of Bind. If you visit any
hacker Website, chances are you can find dozens of prepackaged "exploits" that
will allow you to break into various versions of Bind running on different Unix
platforms. Currently, of the SANS top ten security problems, Bind is number one.

ISC is now considering charging for access to security-related information
regarding Bind:

From: Paul A Vixie (Paul_Vixieisc.org)

ISC has historically depended upon the "bind-workers" mailing list, and CERT
advisories, to notify vendors of potential or actual security flaws in its BIND
package. Recent events have very clearly shown that there is a need for a
fee-based membership forum consisting only of:
1. ISC itself
2. Vendors who include BIND in their products
3. Root and TLD name server operators
4. Other qualified parties (at ISC's discretion)
Requirements of bind-members will be:
1. Not-for-profit members can have their fees waived
2. Use of PGP (or possibly S/MIME) will be mandatory
3. Members will receive information security training
4. Members will sign strong nondisclosure agreements
Features and benefits of "bind-members" status will include:
1. Private access to the CVS pool where bind4, bind8 and bind9 live
2. Reception of early warnings of security or other important flaws
3. Periodic in-person meetings, probably at IETF's conference sites
4. Participation on the bind-members mailing list
If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-infoisc.org.

I solicited responses from ISC and several vendors via phone and email.

Paul Vixie (Internet Software Consortium - makers of Bind) communicated with me
in several emails. The (1) and (2) show which email exchange each part is from.
No other editing has been done.

Kurt Seifried (1): I'm doing an article on this, and I've solicited some vendor
response, but would also like to get ISC's reasons, etc. for this (as well to
explain to readers a bit more what is going on).
Paul Vixie (1): It's a bit early to do an article on it. that's why I called
the notice I sent a "pre-announcement". but I'll tell you what little can be
told and you can decide if it's newsworthy.
Kurt Seifried (2): From this I take it as a matter of when it will happen, as
opposed to if it will happen?
Paul Vixie (2): bind-members absolutely will happen.
Kurt Seifried (1): Why do you think there is a need for fee-based membership?
Paul Vixie (1): ISC has strong ties to vendors who run bind9, due to the
vendor-funded project to write bind9 from scratch. however, ISC's contacts to
vendors (or to the different parts of some of the same vendors) who run bind4
and bind8 are at the personal, 1-on-1 engineering level. it's now desirable to
formalize and deepen the ties between ISC and those vendors or parts of vendors
who are responsible for shipping BIND, and patches to BIND, as part of their
products.
Kurt Seifried (2): So unless you sponsor ISC or pay the membership fee you will
be unable to get support from ISC in the form of software patches, etc.? I.e.,
you will have to rely on "official" releases (such as 8.3.2 or 9.1.0) or fix it
yourself?
Paul Vixie (2): not at all. ISC has always published patches and will continue
to do so. however, the next time we learn, through CERT or otherwise, that there
is an attackable bug in code that we've published, we hope to have a direct and
very private communications forum with the people who run the internet
infrastructure or who need lead time to prepare patches for THEIR customers.
an important point to make, if you're going to write about this, is that nothing
ISC has historically done will stop. the code is still completely
redistributable under the Berkeley-style license (which, unlike the GPL, allows
vendors to distribute binaries based on modified sources without sharing those
source modifications with ISC or anybody else). CERT will still be ISC's
channel for announcing security bugs to the community. patches will still be
accepted from the community, and published to the community.
the ONLY thing bind-members will do is ADD SOMETHING NEW. nothing old is being
taken away. all that was, remains. what we're adding is a way for ISC and the
vendors who ship BIND in their products to speak privately and securely without
awkwardly depending on CERT as the communications channel. (but note that CERT
will still receive early notice of any attackable bugs just as they always have,
there is no intent to cut them out of the loop.)
Kurt Seifried (1): What recent events have shown this?
Paul Vixie (1): While preparing for this week's CERT advisory, isc found that
speaking to vendors through the CERT advisory process was somewhat awkward and
made for extra work on both sides.
Kurt Seifried (1): The NDA, I assume this is to prevent people from jumping the
gun on announcements and distributing code from CVS?
Paul Vixie (1): Absolutely. Only ISC or its contractors can distribute new
versions of BIND.
Kurt Seifried (2): By this I assume you mean an "official" Bind-x.x.x.tar.gz, as
opposed to "Generic Linux" shipping Bind-x.x.x.tar.gz compiled and packaged up,
correct?
Paul Vixie (2): right.
Kurt Seifried (1): Do you have any idea or ballpark figures on what membership
will cost, for example say a vendor like IBM, and/or Red Hat Linux? I.e. $500,
$5,000, $50,000 per year?
Paul Vixie (1): I can't comment on that at this time. however, you can use the
gradiated pricing model of the old X Consortium as a "similar-sounding model" to
get the point across to your readers that (a) this has been done before, and (b)
details will be announced when ISC is ready to announce them.

Commentary

Vincent Danen (MandrakeSoft - makers of Linux Mandrake):

I think the decision of the ISC to make a bind-members group that is not public
for the future development and early disclosure of security problems related to
the BIND software is an extremely bad idea. While I understand the need to
protect the code from malicious users, I fail to understand the need to charge
for the privilege of being amonst this "elite" crowd, and I absolutely disagree
with members being forced to sign a non-disclosure agreement. If the ISC indeed
goes ahead with this, I hope the Open Source community, to whom this is a severe
slight, decides to move forward with either a branch of the BIND code to audit,
secure, and most importantly keep it 100% free, or a similar BIND replacement
package. This is, of course, my own personal opinion, and not necessarily the
opinion of my employer.

Greg Kroah-Hartman (WireX Communications - makers of ImmunixOS):

"We don't like this at all. If you are on the linux-elitists mailing list,
there's a great description of why someone thinks ISC is doing this (I can
forward it to you if you can't find it). And I don't think that we would pony up
the money to play with this."
http://zgp.org/pipermail/linux-elitists/2001-February/001494.html

Dragos Ruiu (Dursec - IDS expert and author), via email:

It is unfortunate that right now, no credible alternative exists to bind, whose
development by the ISC and Mr. Vixie's desire to close the sources for it,
locking out all except the for-pay cabal members from viewing critical security
information about it, leaves the entire Internet reliant on a dubiously managed
monocultural single point of failure with a poor past record of security. The
only current credible alternative to bind I've found is currently djb-dns, whose
restrictive license prohibits anyone except DJB from distributing patches or any
code modifications or derivatives, and this situation, if no other alternatives
arise, leaves the Internet at a high risk of a massive systemic failure - an
unpleasant prospect.

Theo de Raadt (Head of the OpenBSD project) via email:

ISC has been building a "one shoe fits all" DNS server, designed for everything
from small servers to root servers with the .com hierarchy on them. Good
security software has well constrained behaviours and small subcomponents, so
that unexpected results are minimized. BIND is not written that way, and has
hundreds of little features. It can be very difficult to assure the quality of
software designed to run in a wide assortment of ways. None of the BIND
implimentations has any of the basic principles we see in great security
software, and when we add in the uniquitous and mono-cultured nature of it's
deployment, the discovery of a really nasty bug could hit really hard. Say,
I-LOVE-YOU.in-addr.arpa?
We need more DNS server choices.

A long list of emails was posted to Bugtraq. Of 23 emails posted, only one was
supportive, and this was from a major ISP (rr.com). Among the comments were:

From: "Larry W. Cashdollar" (lwcVapid.dhs.org)
This means only system crackers and paying parties will be aware of security
issues. How is this model going to benifit the internet as a whole and the
security community? I rely on free information from lists like bugtraq and cert
to keep my systems secure. I now have to pay for my own security?

From: Security Admin (securitycyberlink.ch)
VERY harmful. This is screaming for a code-fork, for the same procedure that
happend with SSH. If ISC doesn't back off, we're soon gonna have OpenBind.

Bind is not some simple application we can live without; it is one of the
fundamental components of the modern Internet. This type of fee-based member
forum sets an extremely worrying precedent. ISC also controls DHCP (Dynamic Host
Configuration Protocol), which is used by many large organizations to remotely
configure workstations for network access.

If ISC is successful in this venture, similar software vendors will be tempted
to do the same, as it offers a nice revenue stream for a service they currently
provide for free. Furthermore, the restriction of access to information will
only result in non-member vendors taking much longer to ship updates, hurting
their customers and increasing the number of vulnerable Bind servers.

ISC is playing with fire. They run the risk of seriously alienating the user
community and operating system vendors, who, if backed into a corner, may not
sign the NDA and pay the membership fees.

Kurt Seifried, seifriedsecurityportal.com
www.SecurityPortal.com - your focal point for security on the 'net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]