Feeds

ISC seeks cash amid BIND security concerns

Fees, please

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

ComputerWire: IT Industry Intelligence

As the internet's domain name system suffers a series of security setbacks, the custodian of BIND, the software overwhelmingly used by ISPs to converts names into IP addresses, wants to ramp up security and is seeking the cash to do it,

writes Kevin Murphy

.

This week the Internet Software Consortium introduced a membership fee structure in order to raise the money to maintain the security of BIND, the Berkeley Internet Name Domain, which has been found vulnerable to numerous security holes.

The BIND Forum launched officially yesterday, with founding members including Compaq, Ericsson, HP, IBM, VeriSign and Sun. The money it generates from fees will be used to pay for maintaining and securing BIND, which is free software.

Given BIND is the most widely deployed name server on the internet, making it a critical part of the infrastructure, the ISC appears woefully under-resourced. Of its nine-person staff, only one full-time developer is employed to maintain the software. Enhancements to BIND are made under contract with vendors that use the software.

"It's very difficult to get people to pay for just maintenance," said ISC chairman Paul Vixie. "All we need here is money sufficient to pay salaries."

The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it.

At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. Vixie said that is a "bizarre characterization", and pointed out BIND is free.

"At best it's a nuisance fee to make sure we're don't hand the keys to the kingdom to some angry teenager," said Vixie. "We believe it's necessary to put some effort to see the good guys get the patches before the bad guys. Some of the good guys hate that... Software vendors who include our product in their products love it."

Vixie said that with the most recent vulnerabilities it was not possible to design an exploit from the advisory, which was issued in conjunction with Internet Security Systems Inc and the CERT Coordination Center. But the patch itself could be used as a "roadmap" to create an attack tool, making the ISC protective of it.

For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.

Vixie said the dues will be used just for BIND-related activities, and not to cross-subsidize the ISC's other critical task, which is administering one of the DNS's 13 root servers. That function is funded primarily from grants in California where the server is located.

These servers, which sit at the top of the DNS hierarchy, came under their first-ever simultaneous coordinated distributed denial of service attack last month. While the ISC's server handled the attack quite well, Vixie believes the next attack will be worse and even if the root holds up, without mirroring upstream devices could be clogged.

Responding to that attack and others like it, this week the ISC announced it will be the first of the 13 root server operators to widely mirror its server broadly around the world. Under a deal with APNIC, the Asia-Pacific IP address authority, up to 10 mirrors of the F-root will be deployed in Asia.

"I won't stop until I have 40 or 50 of these around the world," Vixie said. Other root server managers have local mirrors of their servers, he said, and some are considering deploying more geographically diverse mirrors. "I will be the first one to do it on this wide a scale," he said.

© Computerwire

Related story

Caught in a BIND

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.