Reasons why BIND isn't being upgraded

Wrt the bind-members forum being discussed to death elsewhere, nobody can pay
for early warnings. CERT will still be the source of early earnings. What
people can pay for (bind-members participation) is the legal fees associated
with NDA-level access to early fixes, if and only if they provide part of the
internet's basic infrastructure (e.g., OS vendors and TLD server operators).

I'm confused. I get the TLD server operators part. But you're saying
that you'd only give OS vendors access to this information. How long does
it take, say, Sun, to issue a patch update? Wouldn't it be much more
efficient, and useful, to issue the information directly to the people

using the software? How many people actually use the default vendor
binaries anyways?

You're now playing favorites with your software, which many people have
been using, and relying on, and helped you improve, for years. "Sorry,
you're not important enough to get any security notifications fast. Good
luck getting it when you get it".

You stated "part of the internet's basic infrastructure". Explain how
ISP's are not part of "the internet's basic infrastructure"?

I mean, if you're going to charge for it, and have NDA's, why not allow
anyone to pay for it? Depending on the price, if you're giving the info
to "selected people", I know i'd pay for it (well, depending on the
price). How do I know there's not going to be some script kiddie at Sun

or somewhere that gets a hold of the information before I do, and doesn't
care about an NDA?

Why not just go the sendmail.com route, if you're going to start charging,
and make it much clearer. "If you want support, etc, then pay us.
Otherwise, it's just Open Source, use at your own risk". IE, *let* people
make their own decision whether or not they feel it's worth the money.

Think what's bothering me is that you're playing favorites, which, after
so many people have been relying on bind for so long, just doesn't seem
fair. But, I know, life isn't fair.

All of a sudden this djbdns is starting to sound like an idea...

Jeff

I mean, if you're going to charge for it, and have NDA's, why not allow
anyone to pay for it? Depending on the price, if you're giving the info
to "selected people", I know i'd pay for it (well, depending on the
price). How do I know there's not going to be some script kiddie at Sun
or somewhere that gets a hold of the information before I do, and doesn't
care about an NDA?

Obviously, they don't want people signing up who are only interested in
the information for cracking purposes...but I find it very hard to believe
vendors can be notified without vulnerability info being leaked. How many
people at how many vendors are going to get early warning of the next big
hole? Do you really think they're going to be able to put in the time to
get the update ready ASAP without the fact that a new hole exists being
leaked? I don't.

Does anyone know yet what they plan to charge or if they even plan to
charge uniformly? By "not-for-profit" members, do they mean actual legal
(for tax purposes) non-profit organizations, or just anyone who doesn't
directly profit from use/distribution of BIND? When GateD went this
route, I was able to get an A&R (Academic and Research) license for
free...but that license prevented me from actually using the restricted
gated code at work. Will ISC be as free with the free memberships as the
GateD Consortium was?

All of a sudden this djbdns is starting to sound like an idea...

Except he's got his own set of restrictions that make it a PITA to rely on
his code.

All of a sudden this djbdns is starting to sound like an idea...

(second post)

While the idea of another program to serve DNS isn't all that bad,
I think jumping ship just because of one new policy isn't necessarily
the most prudent thing to do.

I sort of see this "Oh my lord, if Bush gets elected I'm renouncing my
citizenship and moving to Europe" mentality WRT to new BIND policy.

Bush is in office, and I don't see anyone leaving the country

WRT djbdns: I've had a moderate level of experience with it, and,
while it seems interesting to an extent, operationally I've had several
annoying encounters with it.

When challenged, I seem to get the reply of "maybe some time later
it will have that" or "that is insecure, djb doesn't support that".

djbdns is also very infant - it's probably not popular enough for all
the skr1pt k1dd13s to have an interest in hacking at, because finding
a vulnerability in djbdns is about as useful to the "wreaker or havoc"
as finding a master door and ignition key to a '58 pinto -- there's
about 17 of them on the planet

* WRT bind:

I don't think that the infrastructures that I run have DNS of
significant enough impact to require first-alert notification, and
the stuff that I *do* run that *does* requires it has outsourced DNS -
so .. I don't think I'll be subscribing to "commercial advanced
notification" (unless I make Paul's A-List and get it comp), but I
dont think what the BIND project is doing is out of line in any way.

Nobody seems to understand or appreciate the work that has gone into
bind, and everyone's mad that one little aspect of something that
they've been getting for free, for years, isn't free anymore.

It's software. It requires man-hours, time, effort, resources and
above all talent.. It's not like BIND is being discontinued and made
commercial-only. (Even then I dont think many would have valid
argument).

I fail to see the point of discussing or arguing partial commercialization
of premium services -- I haven't seen one valid point yet.

jamie

meltzer@villageworld.com (Jeffrey Meltzer) writes:

I'm confused. I get the TLD server operators part. But you're saying
that you'd only give OS vendors access to this information. How long does
it take, say, Sun, to issue a patch update? Wouldn't it be much more
efficient, and useful, to issue the information directly to the people
using the software? How many people actually use the default vendor
binaries anyways?

CERT handles notification. The bind-members forum is for people who receive
such notifications to coordinate with ISC on actual patch details. Check your
paranoia at the door.

I'm confused. I get the TLD server operators part. But you're saying
that you'd only give OS vendors access to this information. How long does
it take, say, Sun, to issue a patch update? Wouldn't it be much more
efficient, and useful, to issue the information directly to the people
using the software? How many people actually use the default vendor
binaries anyways?

Just about every very large company that I've ever worked with. Also,
having spent numerous years working the NAVSEA and other Pentagon systems,
you are explicitly not permitted to install anything other than a
vendor-provided patch.

My god, are there really this many idiots out there that don't grasp how
the world works?

core1.chi(config)# router opinion JoeRhett

% NANOG-5-NOSUCH: NanogTalk node 31337.123 misconfigured: unnecessary comment/opinion discarded

> I'm confused. I get the TLD server operators part. But you're saying
> that you'd only give OS vendors access to this information. How long does
> it take, say, Sun, to issue a patch update? Wouldn't it be much more
> efficient, and useful, to issue the information directly to the people
> using the software? How many people actually use the default vendor
> binaries anyways?

Just about every very large company that I've ever worked with. Also,
having spent numerous years working the NAVSEA and other Pentagon systems,
you are explicitly not permitted to install anything other than a
vendor-provided patch.

My god, are there really this many idiots out there that don't grasp how
the world works?

Good. Reduce yourself to insults and don't even answer the [first]
question.

> > I'm confused. I get the TLD server operators part. But you're saying
> > that you'd only give OS vendors access to this information. How long does
> > it take, say, Sun, to issue a patch update? Wouldn't it be much more
> > efficient, and useful, to issue the information directly to the people
> > using the software? How many people actually use the default vendor
> > binaries anyways?
>
> Just about every very large company that I've ever worked with. Also,
> having spent numerous years working the NAVSEA and other Pentagon systems,
> you are explicitly not permitted to install anything other than a
> vendor-provided patch.
>
> My god, are there really this many idiots out there that don't grasp how
> the world works?

Good. Reduce yourself to insults and don't even answer the [first]
question.

You're right about the insult, but the point remains -- it doesn't matter
how long Sun takes. He isn't changing how the security information gets to
the world, he's providing Sun a support channel for assistance integrating
the security fix.

In my experience (being a paying Sun support contract customer) I've gotten
security fixes from Sun in a time range from 2-6 hours. 6 hours was the
longest time that I've experienced from handing them a security flaw they
didn't know about until I had a valid patch in my hands.

On a closed circuit channel for security updates.

> Good. Reduce yourself to insults and don't even answer the [first]
> question.

You're right about the insult, but the point remains -- it doesn't matter
how long Sun takes. He isn't changing how the security information gets to
the world, he's providing Sun a support channel for assistance integrating
the security fix.

If a new distribution is available, why penalize those that don't need a
distro from a vendor to perform an upgrade? That's the point. Big or
small wrt to company size is irrelevant. This question may have already
been answered but I dropped off early last night.

In my experience (being a paying Sun support contract customer) I've gotten
security fixes from Sun in a time range from 2-6 hours. 6 hours was the
longest time that I've experienced from handing them a security flaw they
didn't know about until I had a valid patch in my hands.

On a closed circuit channel for security updates.

I'm a paying customer with a different vendor. I use my experience from
a few years ago to not rely on vendor knowledge let alone patches in
emergency mode.

The point is: there are many companies that don't pay for vendor
support. They may or may not be big. Why would you or anyone else prefer
to inject criticism toward their concern for network security
(particularly in light of all of the pissing and moaning that goes on in
this list wrt to this subject) just because they do things differently
than you?