[BIND] Proposal: Fee-based, closed membership [BIND] forum.

Chris Brown chris.brown at ctg.com
Thu Feb 1 09:19:23 EST 2001


I agree with the spirit of open source.  I don't think this closed BIND forum 
is going to do anything to diminish the open source movement.  Here's my 
thinking on why it is actually a good idea:

Paul Vixie is a smart guy, and he's been intrinsically involved in BIND and 
the Internet longer than probably any of the people on this list.  His intent is 
not to close open discussions, and he's not making BIND closed source.  
The code itself is still open for review by anyone who wants to spend the 
time doing so.  What he is doing is in essence providing a secure forum for 
active developers and key players, and to a degree increasing trust among 
them (the non-disclosure agreement).
Let's face it, as interested as I am in BIND, I haven't ever had a suggestion 
for it's improvement that they were not already working on.  And in point of 
fact, I haven't looked at the code (with the exception of nsupdate.c) in 
years.  By excluding merely curious people like you and me from discussions 
among the real developers, he's excluding many would-be miscreants as well.  
That, I think, is the purpose.

The DNS infrastructure is the only service that if unavailable would make the 
whole Internet unusable by the average person, because of it's necessarily 
centralized structure.  In the grand scheme of things, it doesn't matter if 
someone can't look up www.momandpop.com because ns1.momandpop.com 
is under attack.  It _does_ matter than no one can look up anything in *.com, 
*.net, and *.org because the root servers are under attack.  I'd much rather 
have the root servers secured, rather than be notified immediately of a 
potential exploit.  It is partially because of the globally centralized nature of 
the service that this forum doesn't fall under "security through obscurity."


Christopher Brown, CISSP
Corporate Security Advisor
Information Services
Computer Task Group (CTG)
chris.brown at ctg.com

>>> devnull at butcherfamily.com 02/01/01 04:31AM >>>
Oh boy, I don't like this at all!

This post just came in on [BUGTRAQ] about a proposed closed, fee-based
support and development forum for [BIND]. Sure, there have been some pretty
catastrophic events recently with [BIND} vulnerabilities and exploits, but
I don't think a closed, fee-based [BIND] forum is the way to go. 

I can't see any advantages, and it is just silly to think that access
restrictions will make [BIND] any more secure. 

In a way, this proposed orientation is essentially a variant of "security
by obscurity" by attempting to restrict access and involvement in the
development and refinement of [BIND] -=- something that is doomed to
failure, and quite possibly may spawn the development of an alienated
community of "outsiders" intent on finding more ways to break [BIND]!


Best regards.

Devon Null
devnull at butcherfamily.com 

"For every complex problem, there is a solution 
 		that is simple, neat and wrong."

-- Henry L. Mencken 
devnull at Buffalo.com  |  NEMO ME IMPUNE LACESSIT

Date: Wed, 31 Jan 2001 18:02:48 -0700
Reply-To: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
Subject: Security information for dollars?

What does the community think of this change in direction?

(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)


To: bind-announce at isc.org 
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed, 31 Jan 2001 09:36:02 -0800
From: Paul A Vixie <Paul_Vixie at isc.org>
X-Approved-By: Ruth.Anne.Ladue at nominum.com 
X-original-sender: Paul_Vixie at ISC.Org 
X-List-ID: <bind-announce.isc.org>
X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494
	From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
	Body=0/3451 Fuz1=0/3451

ISC has historically depended upon the "bind-workers" mailing list, and
CERT advisories, to notify vendors of potential or actual security flaws
in its BIND package. Recent events have very clearly shown that there is
a need for a fee-based membership forum consisting only of:

	1. ISC itself
	2. Vendors who include BIND in their products
	3. Root and TLD name server operators
	4. Other qualified parties (at ISC's discretion)

Requirements of bind-members will be:

	1. Not-for-profit members can have their fees waived
	2. Use of PGP (or possibly S/MIME) will be mandatory
	3. Members will receive information security training
	4. Members will sign strong nondisclosure agreements

Features and benefits of "bind-members" status will include:

	1. Private access to the CVS pool where bind4, bind8 and bind9 live
	2. Reception of early warnings of security or other important flaws
	3. Periodic in-person meetings, probably at IETF's conference sites
	4. Participation on the bind-members mailing list

If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-info at isc.org.

Paul Vixie

More information about the nflug mailing list