In response to the debate on bugtraq, people should read this...
If Paul hasn't already forwarded a copy there, that is...

> To: BIND-Members Forum Information:;
> Date: Sat, 03 Feb 2001 22:32:01 -0800
> From: Paul A Vixie <[EMAIL PROTECTED]>
> X-Approved-By: [EMAIL PROTECTED]
> X-original-sender: [EMAIL PROTECTED]
> Q: Does this mean ISC's software will no longer be publically available?
> A: NO.  ISC's software is published under a "BSD-style" license which allows
>    full redistribution, in source or binary, embedded or not, modified or not,
>    with or without fee.  This has not changed, and will not change, ever.
> Q: Then are you effectively charging for access to patches which come out
>    between major releases?
> A: NO.  Patches will be distributed as before.  In fact, all access to ISC's
>    software will continue as before.  The bind-members Forum adds a new class
>    of access to ISC's personnel and sources, but subtracts nothing.
> Q: So the bind-members Forum programme does not restrict or delay any access
>    to which the industry has become accustomed?
> A: Right.
> Q: You mean this whole thing is just to _add_ a new level of access for the
>    organizations ISC considers critical to the Internet's infrastructure.
> A: Yes.
> Q: What is the fee structure associated with participation in the bind-members
>    Forum?
> A: This is still under consideration.  An announcement will follow.  However,
>    we anticipate a graduated fee schedule similar to the X Consortium's.
> Q: This whole thing smacks of a money-making scheme to enhance ISC.
> A: All fees collected under this programme will go to support ISC's mission,
>    which since 1993 has been (from
>       "The Internet Software Consortium (ISC) is a not-for-profit
>        corporation dedicated to developing and maintaining production
>        quality Open Source reference implementations of core Internet
>        protocols."
>    Anyone who feels that ISC spends money on things it shouldn't is welcome
>    to approach any board member and share those concerns.  See our web page
>    ( to learn who those board members are.
> Q: Has ISC decided to transform itself into a for-profit members-only club?
> A: NO.  ISC's mission, and its not-for-profit status, has not changed.
> Q: Does this mean ISC and CERT are parting ways?
> A: Not at all.  CERT has been ISC's partner in the discovery and publication
>    of critical bugs in BIND and other software ever since ISC was founded,
>    and ISC anticipates continuing this relationship in the foreseeable future.
> Q: Will vendors receive bind-members notice of new bugs before they receive
>    notice from CERT?
> A: That will be up to CERT.  If they decide that the bind-members Forum is an
>    acceptable notification method then they may choose to depend on it for
>    their own vendor notices concerning BIND bugs.  In any case, ISC will notify
>    CERT of any critical bugs we discover before bind-members hears about them.
> Q: It's been said that CERT is too conservative about bug notifications, and
>    that by the time they publish their vulnerability notices, everybody pretty
>    much already knows what's going to be in it.
> A: That has not been ISC's experience.  In any case, ISC recognizes CERT as
>    the industry's chosen agent for this type of notification, and recommends
>    that anyone who is dissatisfied with CERT's policies discuss those policies
>    directly with CERT.
> Q: What's the difference between what OS vendors heard directly from CERT
>    before the bind-members Forum was created, and what they will hear now?
> A: In the past, OS vendors heard that there was a bug and that ISC would be
>    releasing a patch to its latest releases, and if they needed any specific
>    help they should contact ISC directly.  The bind-members Forum was created
>    to formalize and facilitate that contact.
> Q: What about critical bugs which are of no interest to CERT?
> A: It's likely that such bugs would be discussed on [EMAIL PROTECTED], just
>    as they have been for some years now.
> Q: Why doesn't ISC just open its CVS repository to the world and let
>    everyone find out about new bugs at the same time?
> A: Because some parts of the Internet's infrastructure are harder to upgrade
>    than others, and ISC believes in coordinated announcements.  If we opened
>    our CVS repository then the "black hats" and "white hats" would learn of
>    problems at the same instant.  The "white hats" have more work to do
>    (preparing customer notifications and patches, and in some cases burning
>    CDROMs) than the "black hats" (just load the script-kiddieware and go).
> Q: What if the "black hats" release their notice before ISC or the "white hats"
>    know what's going on?
> A: That happens sometimes.  When it does, it's most unfortunate for the "white
>    hats" and we catch up as quickly as we can.  But if, as happens frequently,
>    a critical bug is discovered during a source code audit, then ISC believes
>    that it's in the best interests of the Internet infrastructure to get the
>    patch into restricted distribution _before_ any general notices are sent.
> Q: What about customer responsibility?  If a fee-paying participant in the
>    bind-members Forum learns of a critical bug, aren't they contractually
>    bound to tell their own customers about it no matter what NDA they signed?
> A: Every participant has to weigh that for themselves.  It is expected that
>    the period between the discovery and publication of a critical bug will be
>    limited by practicality to a short few days, and that a prospective
>    participant would see it as being in their customers' best interests to
>    cooperate with such a delay.
> Q: If OS vendors are already hearing notice from CERT, then what will the
>    bind-members Forum really change?
> A: Every participant in the bind-members Forum will undergo security training
>    and will be required to learn and to use PGP or S/MIME when discussing
>    things they learn from the bind-members Forum.  They will also agree to
>    avoid general internal discussion of things they learn from the Forum.
> Q: How will ISC enforce this NDA?
> A: By definition, undetected NDA violations are of no concern to anybody.  If
>    ISC detects a violation, then we reserve the right to terminate the
>    violator's participation in the bind-members Forum.
> Q: Can you give an example of a possible violation of this NDA?
> A: Sending mail to ISC in clear text (that is, without any encryption) which
>    includes or references information which was learned via the bind-members
>    Forum and which has not been published elsewhere could be considered a
>    violation of the NDA.
> Q: What if part of my organization qualifies (let's say we serve a TLD) and
>    another part does not (let's say we serve a lot of non-TLD's) -- would we
>    be required to segregate our zones and only upgrade the "qualified" server?
> A: No, you can run a single server if you want.  But the person who upgrades
>    that server will not be able to do so from an organization-wide source pool,
>    or tell their coworkers what's being done, or why.
> Q: The proposed "bind-members Forum" system only obscures that a problem
>    exists which means that far more systems would be compromised by people
>    with bad intensions.
> A: That would be true if we were proposing any additional delay before the
>    public (CERT-driven) announcement.  We're not.  This is just a change to
>    the way early notice to vendors and operators of critical servers is done.
> Q: None of this would be necessary if BIND weren't so full of security holes!
> A: History has shown that most large projects have bugs, and that some of
>    these bugs will be security related or otherwise critical.  BIND has had
>    its share of bugs, including critical ones.  Because ISC lacks the hubris
>    needed to announce that there will never be another security-related or
>    otherwise critical bug in BIND, and because BIND is used on 90% of the
>    world's name servers including the root and TLD servers, we are formalizing
>    the way we will handle any future bugs which are found.
> Q: Other DNS software publishers promise 0 defects and even offer rewards.
>    Why can't ISC seem to compete at the quality game?
> A: If someone else's DNS software ever runs on 80% of the Internet's name
>    servers and is shipped in source form that can run on a dozen or more
>    architectures, ISC will certainly feel that we have much to learn from
>    the authors of that software.
> Q: What's the long term plan?  Are you going to invest any of the fees from
>    this project in some QA?  (Ha ha ha.)
> A: We've spent more than $2.5M on BIND9, which is a complete rewrite, and which
>    took a dozen senior or supersenior DNS software experts over two years to
>    complete.  BIND9 is our long term plan.  Check it out at...
>    ...especially if you like to read clean elegant modular auditable source.
> Q: Don't root and TLD server operators already receive early notice of bugs?
> A: Root server operators do, since ISC operates a root name server and we
>    therefore know how to securely notify the other root server operators.
>    TLD server operators historically relied on public notifications from CERT.
>    The bind-members Forum will provide a secure communications path for root
>    and TLD server operators to learn about severe bugs early enough to complete
>    their upgrades before those bugs are common knowledge.
> Q: Why are the root and TLD operators "special" in this way?  Shouldn't all
>    name server operators, regardless of what zones they handle, have access
>    to the same information at the same time?
> A: Root and TLD servers enable the Internet to function.  There is no resource
>    that is more critical in the information age, except perhaps electric power.
>    If any of these servers were ever to be nefariously corrupted, the impact
>    could be felt for many years following.
> Q: I'm outraged to learn that root server operators and CERT's vendor contacts
>    have been getting early notice of bugs and that you're now expanding this
>    program to TLD server operators and forging even closer ties to the vendors.
>    How long has this been going on?
> A: Since at least 1993 when ISC was first incorporated.
> Q: What about SLD's that are effectively regional TLD's, like COM.UK?
> A: If you run a server which, though an SLD, is "like .COM or .NET" but on
>    a country-level basis rather than a worldwide basis, you probably qualify.
> Q: What about RiR's?
> A: If you operate a server for the first octet under IN-ADDR.ARPA, then you
>    qualify for the bind-members Forum since those servers are considered by
>    ISC to be part of the Internet's infrastructure.
> Q: Why should anybody have to pay ISC to receive critical bug notifications?
> A: They don't.  These notifications will continue to come from CERT, who does
>    not charge any fees for notices of vulnerabilities.
> Q: I mean, why should anybody have to pay ISC for the right to discuss these
>    bugs with ISC and in some cases have private access to ISC's source pool?
> A: Because ISC is a not-for-profit corporation, and any programme of this kind
>    must be financially self-supporting.  ISC's costs will include legal fees,
>    contract administration, release and software engineering, and system
>    administration (CVS, mailing lists, etc).
> Q: So what happens if the participants of the bind-members Forum decide that
>    they would rather notify their customers ONLY, and they try to block ISC
>    and/or CERT from public disclosure, to try to gain competitive advantage?
> A: This seems unlikely, but if this were to come to pass, ISC would have no
>    choice but to exercise its contractual right to terminate the bind-members
>    Forum and we'd just go back to publishing patches in conjunction with CERT.
> Q: I'm an enterprise who uses BIND in production.  Do I need to join the
>    bind-members Forum?
> A: Not if you subscribe to the CERT mailing list.  As an enterprise member,
>    you would only be eligible for early notifications of critical bugs if
>    you operate a root or TLD server.  You can join, as a way to support the
>    ISC in general and this programme in particular, and if you join then you
>    will receive from ISC a copy of every BIND-related notice CERT sends out.
>    But from a practical standpoint you could get the same thing by just
>    subscribing to the CERT mailing list.
> Q: But my enterprise serves millions of customers worldwide, and a DNS outage
>    which is due to an attack you could have helped us prevent would place ISC
>    in absolutely grave liability for my losses.
> A: We appreciate your position, and we know that your vendors, and CERT,
>    also understand the importance of getting enterprise-critical servers
>    upgraded at the earliest practical moment.  However, the root and TLD
>    servers _will_ be done first, since without those, no other servers
>    would be reachable at all.
> Q: I'm an *SP or registrar who uses BIND in production and I serve 100,000
>    customer zones.  Can I join the bind-members Forum and get early notice
>    of critical bugs?
> A: Only if some of those 100,000 zones are TLD's or the root itself.  See
>    above.  ISC would happily count you as an institutional member and send
>    you copies of CERT's BIND-related advisories, but even with 100,000 zones
>    you don't fit ISC's definition of "the Internet's infrastructure."  Sorry.
> Q: I'm an *SP who uses BIND in production and I serve 1,000,000 customer
>    zones, or a portal who uses BIND and has 1,000,000 or more distinct
>    eyeballs per day, or a defaultless *SP doing business in 10 countries.
>    What's my position with respect to bind-members Forum?
> A: You may qualify.  Contact ISC.
> Q: I'm a research lab involved in intrusions and intrusion detection.  Is
>    there any benefit to participating in the bind-members Forum?
> A: Nope.  CERT will fully disclose any critical bugs, and ISC's patches
>    will be publically available.  At ISC's discretion, an exemption can be
>    made if you're one of the research labs who audits source code and helps
>    to preserve the Internet's infrastructure by cooperating in restricted
>    disclosure of what you find.  Contact ISC.
> Q: I'm a software supplier and I include BIND in my product.  Should I join?
> A: Almost certainly.  ISC considers it essential that your customers be able
>    to install a patch or new version on the same day CERT publishes its
>    vulnerability notice.  This means you will need a bit of a head start.
>    However, you will have to agree to a strong NDA that prevents you from
>    telling your supported customers about a problem until ISC gives the OK.
>    This may be a conflict of interest for you, and we recommend that you have
>    your lawyers look over the NDA when you get it.
> Q: I'm part of the U.S. DoD, FBI, or other security-related agency.  What's
>    my agency's eligibility?
> A: Absolutely certain, though perhaps indirectly though another agency.
> Q: This seems unfair.  Why does ISC get to decide who gets early access?
> A: Because says...
>       "The Internet Software Consortium (ISC) is a not-for-profit
>        corporation dedicated to developing and maintaining production
>        quality Open Source reference implementations of core Internet
>        protocols."
>    ...and we take that mission very seriously.
> Q: I'm a support customer of ISC.  Does this entitle me to early access to
>    critical bug notifications?
> A: Not directly, no.  But if you qualify under some other provision (for
>    example if you are also a TLD server operator) then your fees could be
>    waived.  Contact ISC.
> Q: I'm a support customer of a BIND vendor or ISC contractor.  What about me?
> A: Your support vendor will likely participate in the bind-members Forum, and
>    as such you would be notified of critical bugs as soon as ISC and CERT
>    release the information, and it's likely that a patch would be installed
>    or made available coincident with such public release.
> Q: OK, I'm interested and I think I qualify.  What now?
> A: If you received this message directly, then you are already on a mailing
>    list where subsequent notices will be sent, and you don't have to do
>    anything at this time.  If you received this message indirectly by
>    "forwarding", then you should contact [EMAIL PROTECTED] and ask to be placed
>    on either the [EMAIL PROTECTED] or [EMAIL PROTECTED] mailing list.
> Q: Why has there been such public outcry over this?
> A: We call it the "whisper down the lane" effect.  Most of the folks who read
>    the preannouncement notice for the bind-members Forum responded positively,
>    and several who misunderstood it and sought clarification were satisfied.
>    A vocal minority who misunderstood the announcement and/or disagreed with
>    the intent have been able to inflame considerable, but often mistaken,
>    public sentiment.  With this FAQ we hope to dispel all such misconceptions.
> Q: If I still think this is a really bad idea, who should I complain to?
> A: [EMAIL PROTECTED] is ready at all times for any comments or questions.

Reply via email to