The recent vulnerabilities in BIND must have overlooked one
flaw amongst that extensive list that makes every version deployed on
the planet vulnerable, the flaw that makes the ISC bind oversight committee
crash, coredump and lose its mind with this new, for-pay, "leet" bind
vulnerability list. Never mind the politics surrounding the issue that in part
that bind development was paid for with public funds - or that they link to
GPL libraries that might technically GPL it. This bind $cabal$ idea is just
broken as long as none of us have any choice but to run bind if we want
to use the internet.

Considering that the only other credible alternative to bind that I've found,
djb-dns, has a ridiculously restrictive license that will essentially bar it
from _ever_ being distributed by others, that leaves the entire internet in the
unenviable position of relying on a dubious piece of software, managed in a
dubious fashion, as a single monoculture point of failure (there is NO
alternative!).  This is a critical issue that should be of concern to anyone
that relies on the Internet for _anything_.

Addressing assignment, the BGP routing table, and DNS are the glue that holds
the Internet together... hell, they ARE the Internet.  And to have the entire
Internet running on one (hideously twisted and ugly to boot)  piece of code,
waiting to blow up, like the mother of all single points of failure, is
ridiculous. The latest batch of vulnerabilities should be example enough that
it _will_ blow up.  I'm morbidly almost wanting someone to write the killer DNS
worm and take  down the _entire_ Internet in one fell swoop just to prove the
point. (Or waiting for the first script kiddy that DoSses 13 servers and locks
up every computer on the planet...)

The world desperately needs one or more decent alternatives (several would
be better, but at this point I would be happy with even one, credible,
widely deployed, alternative) just to remove this single point of failure.

As far as for-pay vulnerability lists for that single point of failure....
Hmmm... do you mean that all it will cost me is a few bucks spent on a cabal
membership and I can have a big head start on exploiting any new DNS bug and
thereby facilitating 0wn1ng every host on internet before anyone has any chance
to fix things or even know they're vulnerable(so that they can take _some_ sort
of precaution if possible)?  Cool, buy the entire internet all for one low, low,
price.... where do I sign up? Oh that's right, I can't.  I guess I just have to
be content with "bind-members" owning all my machines... :-( BTW As an aside I
think that if such a group ever actually forms, we'll likely see a backlash
response of one of the most systemic, wide-spread, attacks against the whole
DNS system ever seen,  as they elevate themselves to the juiciest single hacker
target in human history...

Sorry for the strong words, but the ISC is fucked up, apparently.  But I should
have guessed that when I first (tried to) read the later versions of bind source
(with apologies to Bill Norton the original project manager for that
development).  I just had to be slapped in the face with it again, repeatedly,
to wake up to this harsh reality. Someone, please, tell me there is an another
alternative - because with the direction it's headed now, the Internet based on
bind isn't looking like it's going to be a very good, reliable, or secure,


> Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
> Date: Wed, 31 Jan 2001 09:36:02 -0800
> From: Paul A Vixie <[EMAIL PROTECTED]>
> X-Approved-By: [EMAIL PROTECTED]
> X-original-sender: [EMAIL PROTECTED]
> X-List-ID: <>
> X-DCC-MAPS-Metrics: 668; IP=0/633557 env_From=0/3494
>        From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
>        Body=0/3451 Fuz1=0/3451
> ISC has historically depended upon the "bind-workers" mailing list, and
> CERT advisories, to notify vendors of potential or actual security flaws
> in its BIND package.  Recent events have very clearly shown that there is
> a need for a fee-based membership forum consisting only of:
>        1. ISC itself
>        2. Vendors who include BIND in their products
>        3. Root and TLD name server operators
>        4. Other qualified parties (at ISC's discretion)
> Requirements of bind-members will be:
>        1. Not-for-profit members can have their fees waived
>        2. Use of PGP (or possibly S/MIME) will be mandatory
>        3. Members will receive information security training
>        4. Members will sign strong nondisclosure agreements
> Features and benefits of "bind-members" status will include:
>        1. Private access to the CVS pool where bind4, bind8 and bind9 live
>        2. Reception of early warnings of security or other important flaws
>        3. Periodic in-person meetings, probably at IETF's conference sites
>        4. Participation on the bind-members mailing list
> If you are a BIND vendor, root or TLD server operator, or other interested
> party, I urge you to seek management approval for entry into this forum, and
> then either contact, or have a responsible party contact, [EMAIL PROTECTED]
> Paul Vixie
> Chairman

Dragos Ruiu <[EMAIL PROTECTED]> ltd. / - we're from the future
gpg/pgp key on file at or at
CanSecWest/core01: March 28-30, Vancouver B.C.  ------------^
Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS,
  Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle,
  RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD,
  K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake,
  Matthew Franz/Cisco/Trinux/Security Models, Fyodor/ Reconaissance,
  Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo,
  Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics,
  Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized
  SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux

Reply via email to