Re: Reasons why BIND isn't being upgraded
patrick@cybernothing.org (Patrick Greenwell) writes:
hiding it DOES however make it harder for people (including network owners) to do surveys.
By the same token one might argue that atempting to hide vunerabilities to those paying you for "early warnings" doesn't help at all.
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
Just something to consider.
I promise that ISC considered everything which was relevant, which your claim above is emphatically not. (Thanks for the FUD though.)
On Sat, Feb 03, 2001 at 10:24:58AM -0800, Paul Vixie wrote:
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
I'm a bit confused. Under this arrangement, what incentive is there for security-conscious common people to run BIND as a name server, rather than its various alternatives, most of which don't require preferential treatment in order to get timely security advisories/fixes? Will the ISC implement similar policies with its INN and DHCP software in the foreseeable future, or is this something unique to BIND? -adam
On Sat, Feb 03, 2001 at 02:11:25PM -0500, Adam Rothschild wrote:
On Sat, Feb 03, 2001 at 10:24:58AM -0800, Paul Vixie wrote:
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
I'm a bit confused. Under this arrangement, what incentive is there for security-conscious common people to run BIND as a name server, rather than its various alternatives, most of which don't require preferential treatment in order to get timely security advisories/fixes?
Will the ISC implement similar policies with its INN and DHCP software in the foreseeable future, or is this something unique to BIND?
FWIW, here's djb's analysis of the current situation, which he posted recently on the dns@list.cr.yp.to mailing list: | The Vixie cluster of companies---Vixie Enterprises, Nominum, Vayusphere, | PAIX, M.I.B.H. (swalloed by Metromedia), etc.---is already doing its | best to make money off BIND. They give us configuration problems and | then sell support services; they give us reliability problems and then | sell backup services; they give us security problems and then sell early | access to security information. | | The natural next step is for them to start selling a BIND Pro with early | access to features and bug fixes that'll be added someday to the free | BIND. BIND isn't under the GPL, so there's no legal obstacle to this. | | ---Dan --Adam
Any flames sent my way will be accepted graciously -- but they won't change my opinion. Adam McKenna wrote:
| The Vixie cluster of companies---Vixie Enterprises, Nominum, Vayusphere, | PAIX, M.I.B.H. (swalloed by Metromedia), etc.---is already doing its | best to make money off BIND. They give us configuration problems and | then sell support services; they give us reliability problems and then | sell backup services; they give us security problems and then sell early | access to security information.
Frankly - and this is my own opinion here as I have no formal association with Paul Vixie or any of his business enterprises[0] - this isn't fair. All software has bugs. Period. I have a particularly strong dislike for Microsoft, but they certainly do not have a monopoly on bugs. Any decent-sized software project will have bugs pop up from time to time. WRT Config issues: Hello, people... this was a major-version upgrade... it behooves you to do what I am going to do as soon as I am ready to upgrade, and test out all of your zones on another machine before deploying on the production boxen. I understand that many of you are running a significantly larger number of zones than I am. I do not think, in most cases, that that would preclude testing before deployment. Many -- MOST (probably "almost all") -- of you have far more extensive experience running your own pieces of the Internet than I have running mine, and y'all should know better. (As should a couple of the Monks on alt.sysadmin.recovery who were complaining about problems upgrading.) I suspect Dan'o knows better, too. [0] <disclosure type="full">I am providing two dns servers running slaves for relays.mail-abuse.org and I run MAPS's rbl-nominate mailing list. I am doing these things as favors to friends who work, or have worked, for MAPS. MAPS and I don't have a formal agreement WRT providing these services.</disclosure> -- Steve Sobol, BOFH, President 888.480.4NET 866.DSL.EXPRESS 216.619.2NET North Shore Technologies Corporation http://NorthShoreTechnologies.net JustTheNet/JustTheNet EXPRESS DSL (ISP Services) http://JustThe.net mailto:sjsobol@NorthShoreTechnologies.net Proud resident of Cleveland, Ohio
On Sun, Feb 04, 2001 at 03:01:14PM -0500, Steve Sobol wrote:
Any flames sent my way will be accepted graciously -- but they won't change my opinion.
Adam McKenna wrote:
| The Vixie cluster of companies---Vixie Enterprises, Nominum, Vayusphere, | PAIX, M.I.B.H. (swalloed by Metromedia), etc.---is already doing its | best to make money off BIND. They give us configuration problems and | then sell support services; they give us reliability problems and then | sell backup services; they give us security problems and then sell early | access to security information.
Frankly - and this is my own opinion here as I have no formal association with Paul Vixie or any of his business enterprises[0] - this isn't fair.
I just thought it was interesting. Obviously he is coming from a different perspective than any of us (that of a competitor), but he does have a point.
WRT Config issues: Hello, people... this was a major-version upgrade... it behooves you to do what I am going to do as soon as I am ready to upgrade, and test out all of your zones on another machine before deploying on the production boxen. I understand that many of you are running a significantly larger number of zones than I am. I do not think, in most cases, that that would preclude testing before deployment.
Agreed. Since you have just given me an excuse to post, I wanted to point out that I have written a BIND-to-djbdns migration guide, which is available at http://www.flounder.net/djbdns/bind-to-djbdns.html . It's still pretty much a first draft and I welcome any comments. --Adam -- Adam McKenna <adam-sig@flounder.net> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 3:03pm up 239 days, 13:21, 9 users, load average: 0.01, 0.05, 0.02
On Sat, Feb 03, 2001 at 02:11:25PM -0500, Adam Rothschild wrote:
I'm a bit confused. Under this arrangement, what incentive is there for security-conscious common people to run BIND as a name server, rather than its various alternatives, most of which don't require preferential treatment in order to get timely security advisories/fixes?
Let's say you get your patches from Sun, right? Sun gets information on those patches from ISC, and releases them to you without preferential treatment. Just because you aren't aware of it, don't assume that software vendors don't have private channels of communication with their providers. Think before you speak. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
On 3 Feb 2001, Paul Vixie wrote:
patrick@cybernothing.org (Patrick Greenwell) writes:
hiding it DOES however make it harder for people (including network owners) to do surveys.
By the same token one might argue that atempting to hide vunerabilities to those paying you for "early warnings" doesn't help at all.
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings.
CERT has NEVER been the source of early warnings. By the time they release information it has already been dissimenated in a variety of other forums. Can you understand that?
CERT has NEVER been the source of early warnings. By the time they release information it has already been dissimenated in a variety of other forums.
Can you understand that?
Paul isn't responsible for building an organization to replace CERT. His support list doesn't make the response center environment any better or any worse than it currently is. If you want something better than CERT, build it yourself. This is unrelated. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
On 3 Feb 2001, Paul Vixie wrote:
patrick@cybernothing.org (Patrick Greenwell) writes:
hiding it DOES however make it harder for people (including network owners) to do surveys.
By the same token one might argue that atempting to hide vunerabilities to those paying you for "early warnings" doesn't help at all.
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
The category "OS vendors" gets a little fishy... Do Linus Torvalds and Alan Cox get on the list if they sign the NDA? How about Patrick Volkerding? Someone like Microsoft or Sun obviously qualifies, but with respect to Open Source OSes, fact is *everyone* is an OS vendor at some level. This is my main objection to the proposed private list: That it assumes everything is done from a couple centralized sources, such as companies like Microsoft or Sun. This is decidedly not true.
Just something to consider.
I promise that ISC considered everything which was relevant, which your claim above is emphatically not. (Thanks for the FUD though.)
Now I wonder if my thoughts are relevant. Matthew Devney
The category "OS vendors" gets a little fishy... Do Linus Torvalds and Alan Cox get on the list if they sign the NDA? How about Patrick Volkerding?
If they're mature trustworthy people (I know Linus but not those other guys) and if they need some time to get patches ready for large user bases, then I feel sure that they'd be welcomed gladly. Why are we discussing this on NANOG?
On Sat, Feb 03, 2001 at 03:03:25PM -0800, Paul A Vixie wrote:
The category "OS vendors" gets a little fishy... Do Linus Torvalds and Alan Cox get on the list if they sign the NDA? How about Patrick Volkerding?
If they're mature trustworthy people (I know Linus but not those other guys) and if they need some time to get patches ready for large user bases, then I feel sure that they'd be welcomed gladly.
How about large SP's like ourselves who have many machines to keep current and are exposed to the world? How about a, say, russian SP not bound to U.S. laws? Will they be allowed to subscribe to your list or not? How will you enforce such a closed user group on an international scale? I really don't want to take a position either way, but I think the above are interesting and important questions. I would appreciate if you could shed some light on those particular areas of concern.
Why are we discussing this on NANOG?
'cause it does affect operators to some extent (some of us do use BIND for production purposes in one way or another). Besides, we got nothing better to do apparently... *sigh* Cheers, Chris -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only.""
On Sat, Feb 03, 2001 at 02:37:10PM -0800, mdevney@teamsphere.com wrote:
The category "OS vendors" gets a little fishy... Do Linus Torvalds and Alan Cox get on the list if they sign the NDA? How about Patrick Volkerding? Someone like Microsoft or Sun obviously qualifies, but with respect to Open Source OSes, fact is *everyone* is an OS vendor at some level.
Most open source OS projects have a defined leadership and possibly a security team or a security officer, so determining who qualifies should be a simple enough task. I offer my condolences to whoever at ISC has to determine which of the seven billion Linux distros they consider large enough to warrant membership. -- Bill Fumerola / billf@FreeBSD.org
participants (10)
-
Adam McKenna
-
Adam Rothschild
-
Bill Fumerola
-
Christian Kuhtz
-
Joe Rhett
-
mdevney@teamsphere.com
-
Patrick Greenwell
-
Paul A Vixie
-
Paul Vixie
-
Steve Sobol