Feeds

ISC seeks cash amid BIND security concerns

Fees, please

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

ComputerWire: IT Industry Intelligence

As the internet's domain name system suffers a series of security setbacks, the custodian of BIND, the software overwhelmingly used by ISPs to converts names into IP addresses, wants to ramp up security and is seeking the cash to do it,

writes Kevin Murphy

.

This week the Internet Software Consortium introduced a membership fee structure in order to raise the money to maintain the security of BIND, the Berkeley Internet Name Domain, which has been found vulnerable to numerous security holes.

The BIND Forum launched officially yesterday, with founding members including Compaq, Ericsson, HP, IBM, VeriSign and Sun. The money it generates from fees will be used to pay for maintaining and securing BIND, which is free software.

Given BIND is the most widely deployed name server on the internet, making it a critical part of the infrastructure, the ISC appears woefully under-resourced. Of its nine-person staff, only one full-time developer is employed to maintain the software. Enhancements to BIND are made under contract with vendors that use the software.

"It's very difficult to get people to pay for just maintenance," said ISC chairman Paul Vixie. "All we need here is money sufficient to pay salaries."

The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it.

At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. Vixie said that is a "bizarre characterization", and pointed out BIND is free.

"At best it's a nuisance fee to make sure we're don't hand the keys to the kingdom to some angry teenager," said Vixie. "We believe it's necessary to put some effort to see the good guys get the patches before the bad guys. Some of the good guys hate that... Software vendors who include our product in their products love it."

Vixie said that with the most recent vulnerabilities it was not possible to design an exploit from the advisory, which was issued in conjunction with Internet Security Systems Inc and the CERT Coordination Center. But the patch itself could be used as a "roadmap" to create an attack tool, making the ISC protective of it.

For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.

Vixie said the dues will be used just for BIND-related activities, and not to cross-subsidize the ISC's other critical task, which is administering one of the DNS's 13 root servers. That function is funded primarily from grants in California where the server is located.

These servers, which sit at the top of the DNS hierarchy, came under their first-ever simultaneous coordinated distributed denial of service attack last month. While the ISC's server handled the attack quite well, Vixie believes the next attack will be worse and even if the root holds up, without mirroring upstream devices could be clogged.

Responding to that attack and others like it, this week the ISC announced it will be the first of the 13 root server operators to widely mirror its server broadly around the world. Under a deal with APNIC, the Asia-Pacific IP address authority, up to 10 mirrors of the F-root will be deployed in Asia.

"I won't stop until I have 40 or 50 of these around the world," Vixie said. Other root server managers have local mirrors of their servers, he said, and some are considering deploying more geographically diverse mirrors. "I will be the first one to do it on this wide a scale," he said.

© Computerwire

Related story

Caught in a BIND

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.