Paul D. Robertson wrote:
> It *is* worth looking back over the past BIND bug list and public
> disclosure and seeing which vendor-shipped products had fixes available
> prior to the exploits being published. While the "for money" bit may be
> debatable, I think anyone who thinks that giving the vendors using BIND
> source code in their products a little advanced warning is
> counter-productive to overall security might have questionable motives.
My motives will probably be agreed with by most, though my methods
probably will not be.
I believe (like many others) that security through obscurity is not the
proper method. I've lost track of the stories by people finding security
holes reporting them to Sun, and Sun not releasing a patch, even though
they knew there was a hole, for MONTHS, when it's a very simple hole to
close. Then, they announce the details of the hole, and Sun has a patch
in a week. (Or a Month, but that's still months later than it should be
released.)
> Expanding the cloud from root server operators to them plus vendors who
> ship BIND seems to be not really earth-shattering for those of us not in
> the group of root server operators who would have gotten such
> notifications in the past.
There shouldn't be a cloud. It should just be announced. If there IS
such a group, though, the root server operators are the ones who
definitely need to know - And paying for it is bull****.
>> For me, the "hidden list" was the final straw. I switched to djbdns, and
>> am VERY happy with it.
>
> That makes me _really_ curious- You're saying that the long history of
> remotely exploitable holes wasn't the final straw, but simply the fact
> that vendors who get commercial gain out of shipping BIND in their
> products having to pay for advanced notification tipped the bucket?
Yep. Basically, there are two real contenders for DNS server code: BIND
and djbdns, so vendors are forced to either write something new and make
it interoperate, or package BIND. Supposedly, djbdns has a prohibitive
license, not that I've been able to find it to read it. (grep -i licens
in the source dir turns up nothing. I may just be blind, or stupid. But
shouldn't your license be as easy to locate as possible? Perhaps in the
README (not there) or a file called LICENSE (nonexistent.)
Anyway, people want BIND. And giving away BIND for truly free would
appear to be a goal of the ISC:
From the website:
The Internet Software Consortium (ISC) is a not-for-profit corporation
dedicated to developing and maintaining production quality Open Source
reference implementations of core Internet protocols. ISC efforts are
supported by the donations of generous sponsors, and by revenue from the
sale of:
support contracts training courses consulting services
software development contracts
But not the sale of software, or patches. Supposedly. It could be
considered a purchase of a "software development contract" to buy into
this list, but then one would expect ISC to observe proper coding
practices, and go audit their code in a fetishistic manner to ensure
that there ARE no buffer overflows etc - proactivity vs. reactivity. I
doubt that charging some vendors some money is going to change their
coding practice.
The BIND 9.1 license is provided here:
Copyright (C) 1996-2001 Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
They don't make any commitment to notify the community of security holes
as soon as they are found. This is, I think, a bad thing. It means that
you may very well have a false sense of security right now about the
version of BIND you're running - unless you're running djbdns, in which
case there's someone out there trying not to lose $500.
> Don't get me wrong, I think djbdns is a good thing, I'm just really
> curious about the motivation to switch, since I've had serious friction
> from people who I recommended the switch to in the past.
I just don't have a feeling of trust for the ISC any more; I don't trust
the code that comes out of there, and I don't trust them to do the right
thing politically, either.
> Heck, if DJB went to a BSD license I'm sure he'd get a lot of traction,
> but of course that doesn't seem to be his motivator.
Sure. I'd like that, and so would everyone else. But I'll take what I
can get, in the meantime.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
