Feeds

ISC seeks cash amid BIND security concerns

Fees, please

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

ComputerWire: IT Industry Intelligence

As the internet's domain name system suffers a series of security setbacks, the custodian of BIND, the software overwhelmingly used by ISPs to converts names into IP addresses, wants to ramp up security and is seeking the cash to do it,

writes Kevin Murphy

.

This week the Internet Software Consortium introduced a membership fee structure in order to raise the money to maintain the security of BIND, the Berkeley Internet Name Domain, which has been found vulnerable to numerous security holes.

The BIND Forum launched officially yesterday, with founding members including Compaq, Ericsson, HP, IBM, VeriSign and Sun. The money it generates from fees will be used to pay for maintaining and securing BIND, which is free software.

Given BIND is the most widely deployed name server on the internet, making it a critical part of the infrastructure, the ISC appears woefully under-resourced. Of its nine-person staff, only one full-time developer is employed to maintain the software. Enhancements to BIND are made under contract with vendors that use the software.

"It's very difficult to get people to pay for just maintenance," said ISC chairman Paul Vixie. "All we need here is money sufficient to pay salaries."

The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it.

At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. Vixie said that is a "bizarre characterization", and pointed out BIND is free.

"At best it's a nuisance fee to make sure we're don't hand the keys to the kingdom to some angry teenager," said Vixie. "We believe it's necessary to put some effort to see the good guys get the patches before the bad guys. Some of the good guys hate that... Software vendors who include our product in their products love it."

Vixie said that with the most recent vulnerabilities it was not possible to design an exploit from the advisory, which was issued in conjunction with Internet Security Systems Inc and the CERT Coordination Center. But the patch itself could be used as a "roadmap" to create an attack tool, making the ISC protective of it.

For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.

Vixie said the dues will be used just for BIND-related activities, and not to cross-subsidize the ISC's other critical task, which is administering one of the DNS's 13 root servers. That function is funded primarily from grants in California where the server is located.

These servers, which sit at the top of the DNS hierarchy, came under their first-ever simultaneous coordinated distributed denial of service attack last month. While the ISC's server handled the attack quite well, Vixie believes the next attack will be worse and even if the root holds up, without mirroring upstream devices could be clogged.

Responding to that attack and others like it, this week the ISC announced it will be the first of the 13 root server operators to widely mirror its server broadly around the world. Under a deal with APNIC, the Asia-Pacific IP address authority, up to 10 mirrors of the F-root will be deployed in Asia.

"I won't stop until I have 40 or 50 of these around the world," Vixie said. Other root server managers have local mirrors of their servers, he said, and some are considering deploying more geographically diverse mirrors. "I will be the first one to do it on this wide a scale," he said.

© Computerwire

Related story

Caught in a BIND

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.