[BIND] Proposal: Fee-based, closed membership [BIND] forum.

Devon Null devnull at butcherfamily.com
Thu Feb 1 04:31:35 EST 2001

Oh boy, I don't like this at all!

This post just came in on [BUGTRAQ] about a proposed closed, fee-based
support and development forum for [BIND]. Sure, there have been some pretty
catastrophic events recently with [BIND} vulnerabilities and exploits, but
I don't think a closed, fee-based [BIND] forum is the way to go. 

I can't see any advantages, and it is just silly to think that access
restrictions will make [BIND] any more secure. 

In a way, this proposed orientation is essentially a variant of "security
by obscurity" by attempting to restrict access and involvement in the
development and refinement of [BIND] -=- something that is doomed to
failure, and quite possibly may spawn the development of an alienated
community of "outsiders" intent on finding more ways to break [BIND]!


Best regards.

Devon Null
devnull at butcherfamily.com

"For every complex problem, there is a solution 
 		that is simple, neat and wrong."

-- Henry L. Mencken 
devnull at Buffalo.com  |  NEMO ME IMPUNE LACESSIT

Date: Wed, 31 Jan 2001 18:02:48 -0700
Reply-To: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
Subject: Security information for dollars?

What does the community think of this change in direction?

(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)


To: bind-announce at isc.org
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed, 31 Jan 2001 09:36:02 -0800
From: Paul A Vixie <Paul_Vixie at isc.org>
X-Approved-By: Ruth.Anne.Ladue at nominum.com
X-original-sender: Paul_Vixie at ISC.Org
X-List-ID: <bind-announce.isc.org>
X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494
	From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
	Body=0/3451 Fuz1=0/3451

ISC has historically depended upon the "bind-workers" mailing list, and
CERT advisories, to notify vendors of potential or actual security flaws
in its BIND package. Recent events have very clearly shown that there is
a need for a fee-based membership forum consisting only of:

	1. ISC itself
	2. Vendors who include BIND in their products
	3. Root and TLD name server operators
	4. Other qualified parties (at ISC's discretion)

Requirements of bind-members will be:

	1. Not-for-profit members can have their fees waived
	2. Use of PGP (or possibly S/MIME) will be mandatory
	3. Members will receive information security training
	4. Members will sign strong nondisclosure agreements

Features and benefits of "bind-members" status will include:

	1. Private access to the CVS pool where bind4, bind8 and bind9 live
	2. Reception of early warnings of security or other important flaws
	3. Periodic in-person meetings, probably at IETF's conference sites
	4. Participation on the bind-members mailing list

If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-info at isc.org.

Paul Vixie

More information about the nflug mailing list