Feeds

ISC seeks cash amid BIND security concerns

Fees, please

  • alert
  • submit to reddit

High performance access to file storage

ComputerWire: IT Industry Intelligence

As the internet's domain name system suffers a series of security setbacks, the custodian of BIND, the software overwhelmingly used by ISPs to converts names into IP addresses, wants to ramp up security and is seeking the cash to do it,

writes Kevin Murphy

.

This week the Internet Software Consortium introduced a membership fee structure in order to raise the money to maintain the security of BIND, the Berkeley Internet Name Domain, which has been found vulnerable to numerous security holes.

The BIND Forum launched officially yesterday, with founding members including Compaq, Ericsson, HP, IBM, VeriSign and Sun. The money it generates from fees will be used to pay for maintaining and securing BIND, which is free software.

Given BIND is the most widely deployed name server on the internet, making it a critical part of the infrastructure, the ISC appears woefully under-resourced. Of its nine-person staff, only one full-time developer is employed to maintain the software. Enhancements to BIND are made under contract with vendors that use the software.

"It's very difficult to get people to pay for just maintenance," said ISC chairman Paul Vixie. "All we need here is money sufficient to pay salaries."

The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it.

At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. Vixie said that is a "bizarre characterization", and pointed out BIND is free.

"At best it's a nuisance fee to make sure we're don't hand the keys to the kingdom to some angry teenager," said Vixie. "We believe it's necessary to put some effort to see the good guys get the patches before the bad guys. Some of the good guys hate that... Software vendors who include our product in their products love it."

Vixie said that with the most recent vulnerabilities it was not possible to design an exploit from the advisory, which was issued in conjunction with Internet Security Systems Inc and the CERT Coordination Center. But the patch itself could be used as a "roadmap" to create an attack tool, making the ISC protective of it.

For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.

Vixie said the dues will be used just for BIND-related activities, and not to cross-subsidize the ISC's other critical task, which is administering one of the DNS's 13 root servers. That function is funded primarily from grants in California where the server is located.

These servers, which sit at the top of the DNS hierarchy, came under their first-ever simultaneous coordinated distributed denial of service attack last month. While the ISC's server handled the attack quite well, Vixie believes the next attack will be worse and even if the root holds up, without mirroring upstream devices could be clogged.

Responding to that attack and others like it, this week the ISC announced it will be the first of the 13 root server operators to widely mirror its server broadly around the world. Under a deal with APNIC, the Asia-Pacific IP address authority, up to 10 mirrors of the F-root will be deployed in Asia.

"I won't stop until I have 40 or 50 of these around the world," Vixie said. Other root server managers have local mirrors of their servers, he said, and some are considering deploying more geographically diverse mirrors. "I will be the first one to do it on this wide a scale," he said.

© Computerwire

Related story

Caught in a BIND

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.