Feeds

ISC seeks cash amid BIND security concerns

Fees, please

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

ComputerWire: IT Industry Intelligence

As the internet's domain name system suffers a series of security setbacks, the custodian of BIND, the software overwhelmingly used by ISPs to converts names into IP addresses, wants to ramp up security and is seeking the cash to do it,

writes Kevin Murphy

.

This week the Internet Software Consortium introduced a membership fee structure in order to raise the money to maintain the security of BIND, the Berkeley Internet Name Domain, which has been found vulnerable to numerous security holes.

The BIND Forum launched officially yesterday, with founding members including Compaq, Ericsson, HP, IBM, VeriSign and Sun. The money it generates from fees will be used to pay for maintaining and securing BIND, which is free software.

Given BIND is the most widely deployed name server on the internet, making it a critical part of the infrastructure, the ISC appears woefully under-resourced. Of its nine-person staff, only one full-time developer is employed to maintain the software. Enhancements to BIND are made under contract with vendors that use the software.

"It's very difficult to get people to pay for just maintenance," said ISC chairman Paul Vixie. "All we need here is money sufficient to pay salaries."

The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it.

At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. Vixie said that is a "bizarre characterization", and pointed out BIND is free.

"At best it's a nuisance fee to make sure we're don't hand the keys to the kingdom to some angry teenager," said Vixie. "We believe it's necessary to put some effort to see the good guys get the patches before the bad guys. Some of the good guys hate that... Software vendors who include our product in their products love it."

Vixie said that with the most recent vulnerabilities it was not possible to design an exploit from the advisory, which was issued in conjunction with Internet Security Systems Inc and the CERT Coordination Center. But the patch itself could be used as a "roadmap" to create an attack tool, making the ISC protective of it.

For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.

Vixie said the dues will be used just for BIND-related activities, and not to cross-subsidize the ISC's other critical task, which is administering one of the DNS's 13 root servers. That function is funded primarily from grants in California where the server is located.

These servers, which sit at the top of the DNS hierarchy, came under their first-ever simultaneous coordinated distributed denial of service attack last month. While the ISC's server handled the attack quite well, Vixie believes the next attack will be worse and even if the root holds up, without mirroring upstream devices could be clogged.

Responding to that attack and others like it, this week the ISC announced it will be the first of the 13 root server operators to widely mirror its server broadly around the world. Under a deal with APNIC, the Asia-Pacific IP address authority, up to 10 mirrors of the F-root will be deployed in Asia.

"I won't stop until I have 40 or 50 of these around the world," Vixie said. Other root server managers have local mirrors of their servers, he said, and some are considering deploying more geographically diverse mirrors. "I will be the first one to do it on this wide a scale," he said.

© Computerwire

Related story

Caught in a BIND

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.