[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-announce
Subject: FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM
From: Paul A Vixie <Paul_Vixie () isc ! org>
Date: 2001-02-04 6:32:01
[Download RAW message or body]
FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM
LICENSING:
Q: Does this mean ISC's software will no longer be publically available?
A: NO. ISC's software is published under a "BSD-style" license which allows
full redistribution, in source or binary, embedded or not, modified or not,
with or without fee. This has not changed, and will not change, ever.
Q: Then are you effectively charging for access to patches which come out
between major releases?
A: NO. Patches will be distributed as before. In fact, all access to ISC's
software will continue as before. The bind-members Forum adds a new class
of access to ISC's personnel and sources, but subtracts nothing.
Q: So the bind-members Forum programme does not restrict or delay any access
to which the industry has become accustomed?
A: Right.
Q: You mean this whole thing is just to _add_ a new level of access for the
organizations ISC considers critical to the Internet's infrastructure.
A: Yes.
FEES:
Q: What is the fee structure associated with participation in the bind-members
Forum?
A: This is still under consideration. An announcement will follow. However,
we anticipate a graduated fee schedule similar to the X Consortium's.
Q: This whole thing smacks of a money-making scheme to enhance ISC.
A: All fees collected under this programme will go to support ISC's mission,
which since 1993 has been (from http://www.isc.org/):
"The Internet Software Consortium (ISC) is a not-for-profit
corporation dedicated to developing and maintaining production
quality Open Source reference implementations of core Internet
protocols."
Anyone who feels that ISC spends money on things it shouldn't is welcome
to approach any board member and share those concerns. See our web page
(http://www.isc.org/ISC/bod.html) to learn who those board members are.
Q: Has ISC decided to transform itself into a for-profit members-only club?
A: NO. ISC's mission, and its not-for-profit status, has not changed.
CERT:
Q: Does this mean ISC and CERT are parting ways?
A: Not at all. CERT has been ISC's partner in the discovery and publication
of critical bugs in BIND and other software ever since ISC was founded,
and ISC anticipates continuing this relationship in the foreseeable future.
Q: Will vendors receive bind-members notice of new bugs before they receive
notice from CERT?
A: That will be up to CERT. If they decide that the bind-members Forum is an
acceptable notification method then they may choose to depend on it for
their own vendor notices concerning BIND bugs. In any case, ISC will notify
CERT of any critical bugs we discover before bind-members hears about them.
Q: It's been said that CERT is too conservative about bug notifications, and
that by the time they publish their vulnerability notices, everybody pretty
much already knows what's going to be in it.
A: That has not been ISC's experience. In any case, ISC recognizes CERT as
the industry's chosen agent for this type of notification, and recommends
that anyone who is dissatisfied with CERT's policies discuss those policies
directly with CERT.
Q: What's the difference between what OS vendors heard directly from CERT
before the bind-members Forum was created, and what they will hear now?
A: In the past, OS vendors heard that there was a bug and that ISC would be
releasing a patch to its latest releases, and if they needed any specific
help they should contact ISC directly. The bind-members Forum was created
to formalize and facilitate that contact.
Q: What about critical bugs which are of no interest to CERT?
A: It's likely that such bugs would be discussed on bind-workers@isc.org, just
as they have been for some years now.
NONDISCLOSURE:
Q: Why doesn't ISC just open its CVS repository to the world and let
everyone find out about new bugs at the same time?
A: Because some parts of the Internet's infrastructure are harder to upgrade
than others, and ISC believes in coordinated announcements. If we opened
our CVS repository then the "black hats" and "white hats" would learn of
problems at the same instant. The "white hats" have more work to do
(preparing customer notifications and patches, and in some cases burning
CDROMs) than the "black hats" (just load the script-kiddieware and go).
Q: What if the "black hats" release their notice before ISC or the "white hats"
know what's going on?
A: That happens sometimes. When it does, it's most unfortunate for the "white
hats" and we catch up as quickly as we can. But if, as happens frequently,
a critical bug is discovered during a source code audit, then ISC believes
that it's in the best interests of the Internet infrastructure to get the
patch into restricted distribution _before_ any general notices are sent.
Q: What about customer responsibility? If a fee-paying participant in the
bind-members Forum learns of a critical bug, aren't they contractually
bound to tell their own customers about it no matter what NDA they signed?
A: Every participant has to weigh that for themselves. It is expected that
the period between the discovery and publication of a critical bug will be
limited by practicality to a short few days, and that a prospective
participant would see it as being in their customers' best interests to
cooperate with such a delay.
Q: If OS vendors are already hearing notice from CERT, then what will the
bind-members Forum really change?
A: Every participant in the bind-members Forum will undergo security training
and will be required to learn and to use PGP or S/MIME when discussing
things they learn from the bind-members Forum. They will also agree to
avoid general internal discussion of things they learn from the Forum.
Q: How will ISC enforce this NDA?
A: By definition, undetected NDA violations are of no concern to anybody. If
ISC detects a violation, then we reserve the right to terminate the
violator's participation in the bind-members Forum.
Q: Can you give an example of a possible violation of this NDA?
A: Sending mail to ISC in clear text (that is, without any encryption) which
includes or references information which was learned via the bind-members
Forum and which has not been published elsewhere could be considered a
violation of the NDA.
Q: What if part of my organization qualifies (let's say we serve a TLD) and
another part does not (let's say we serve a lot of non-TLD's) -- would we
be required to segregate our zones and only upgrade the "qualified" server?
A: No, you can run a single server if you want. But the person who upgrades
that server will not be able to do so from an organization-wide source pool,
or tell their coworkers what's being done, or why.
Q: The proposed "bind-members Forum" system only obscures that a problem
exists which means that far more systems would be compromised by people
with bad intensions.
A: That would be true if we were proposing any additional delay before the
public (CERT-driven) announcement. We're not. This is just a change to
the way early notice to vendors and operators of critical servers is done.
QUALITY:
Q: None of this would be necessary if BIND weren't so full of security holes!
A: History has shown that most large projects have bugs, and that some of
these bugs will be security related or otherwise critical. BIND has had
its share of bugs, including critical ones. Because ISC lacks the hubris
needed to announce that there will never be another security-related or
otherwise critical bug in BIND, and because BIND is used on 90% of the
world's name servers including the root and TLD servers, we are formalizing
the way we will handle any future bugs which are found.
Q: Other DNS software publishers promise 0 defects and even offer rewards.
Why can't ISC seem to compete at the quality game?
A: If someone else's DNS software ever runs on 80% of the Internet's name
servers and is shipped in source form that can run on a dozen or more
architectures, ISC will certainly feel that we have much to learn from
the authors of that software.
Q: What's the long term plan? Are you going to invest any of the fees from
this project in some QA? (Ha ha ha.)
A: We've spent more than $2.5M on BIND9, which is a complete rewrite, and which
took a dozen senior or supersenior DNS software experts over two years to
complete. BIND9 is our long term plan. Check it out at...
http://www.isc.org/products/BIND/bind9.html
...especially if you like to read clean elegant modular auditable source.
SERVER SELECTIVITY:
Q: Don't root and TLD server operators already receive early notice of bugs?
A: Root server operators do, since ISC operates a root name server and we
therefore know how to securely notify the other root server operators.
TLD server operators historically relied on public notifications from CERT.
The bind-members Forum will provide a secure communications path for root
and TLD server operators to learn about severe bugs early enough to complete
their upgrades before those bugs are common knowledge.
Q: Why are the root and TLD operators "special" in this way? Shouldn't all
name server operators, regardless of what zones they handle, have access
to the same information at the same time?
A: Root and TLD servers enable the Internet to function. There is no resource
that is more critical in the information age, except perhaps electric power.
If any of these servers were ever to be nefariously corrupted, the impact
could be felt for many years following.
Q: I'm outraged to learn that root server operators and CERT's vendor contacts
have been getting early notice of bugs and that you're now expanding this
program to TLD server operators and forging even closer ties to the vendors.
How long has this been going on?
A: Since at least 1993 when ISC was first incorporated.
Q: What about SLD's that are effectively regional TLD's, like COM.UK?
A: If you run a server which, though an SLD, is "like .COM or .NET" but on
a country-level basis rather than a worldwide basis, you probably qualify.
Q: What about RiR's?
A: If you operate a server for the first octet under IN-ADDR.ARPA, then you
qualify for the bind-members Forum since those servers are considered by
ISC to be part of the Internet's infrastructure.
VENDOR SELECTIVITY:
Q: Why should anybody have to pay ISC to receive critical bug notifications?
A: They don't. These notifications will continue to come from CERT, who does
not charge any fees for notices of vulnerabilities.
Q: I mean, why should anybody have to pay ISC for the right to discuss these
bugs with ISC and in some cases have private access to ISC's source pool?
A: Because ISC is a not-for-profit corporation, and any programme of this kind
must be financially self-supporting. ISC's costs will include legal fees,
contract administration, release and software engineering, and system
administration (CVS, mailing lists, etc).
Q: So what happens if the participants of the bind-members Forum decide that
they would rather notify their customers ONLY, and they try to block ISC
and/or CERT from public disclosure, to try to gain competitive advantage?
A: This seems unlikely, but if this were to come to pass, ISC would have no
choice but to exercise its contractual right to terminate the bind-members
Forum and we'd just go back to publishing patches in conjunction with CERT.
MEMBER SELECTIVITY:
Q: I'm an enterprise who uses BIND in production. Do I need to join the
bind-members Forum?
A: Not if you subscribe to the CERT mailing list. As an enterprise member,
you would only be eligible for early notifications of critical bugs if
you operate a root or TLD server. You can join, as a way to support the
ISC in general and this programme in particular, and if you join then you
will receive from ISC a copy of every BIND-related notice CERT sends out.
But from a practical standpoint you could get the same thing by just
subscribing to the CERT mailing list.
Q: But my enterprise serves millions of customers worldwide, and a DNS outage
which is due to an attack you could have helped us prevent would place ISC
in absolutely grave liability for my losses.
A: We appreciate your position, and we know that your vendors, and CERT,
also understand the importance of getting enterprise-critical servers
upgraded at the earliest practical moment. However, the root and TLD
servers _will_ be done first, since without those, no other servers
would be reachable at all.
Q: I'm an *SP or registrar who uses BIND in production and I serve 100,000
customer zones. Can I join the bind-members Forum and get early notice
of critical bugs?
A: Only if some of those 100,000 zones are TLD's or the root itself. See
above. ISC would happily count you as an institutional member and send
you copies of CERT's BIND-related advisories, but even with 100,000 zones
you don't fit ISC's definition of "the Internet's infrastructure." Sorry.
Q: I'm an *SP who uses BIND in production and I serve 1,000,000 customer
zones, or a portal who uses BIND and has 1,000,000 or more distinct
eyeballs per day, or a defaultless *SP doing business in 10 countries.
What's my position with respect to bind-members Forum?
A: You may qualify. Contact ISC.
Q: I'm a research lab involved in intrusions and intrusion detection. Is
there any benefit to participating in the bind-members Forum?
A: Nope. CERT will fully disclose any critical bugs, and ISC's patches
will be publically available. At ISC's discretion, an exemption can be
made if you're one of the research labs who audits source code and helps
to preserve the Internet's infrastructure by cooperating in restricted
disclosure of what you find. Contact ISC.
Q: I'm a software supplier and I include BIND in my product. Should I join?
A: Almost certainly. ISC considers it essential that your customers be able
to install a patch or new version on the same day CERT publishes its
vulnerability notice. This means you will need a bit of a head start.
However, you will have to agree to a strong NDA that prevents you from
telling your supported customers about a problem until ISC gives the OK.
This may be a conflict of interest for you, and we recommend that you have
your lawyers look over the NDA when you get it.
Q: I'm part of the U.S. DoD, FBI, or other security-related agency. What's
my agency's eligibility?
A: Absolutely certain, though perhaps indirectly though another agency.
Q: This seems unfair. Why does ISC get to decide who gets early access?
A: Because http://www.isc.org/ says...
"The Internet Software Consortium (ISC) is a not-for-profit
corporation dedicated to developing and maintaining production
quality Open Source reference implementations of core Internet
protocols."
...and we take that mission very seriously.
SUPPORT
Q: I'm a support customer of ISC. Does this entitle me to early access to
critical bug notifications?
A: Not directly, no. But if you qualify under some other provision (for
example if you are also a TLD server operator) then your fees could be
waived. Contact ISC.
Q: I'm a support customer of a BIND vendor or ISC contractor. What about me?
A: Your support vendor will likely participate in the bind-members Forum, and
as such you would be notified of critical bugs as soon as ISC and CERT
release the information, and it's likely that a patch would be installed
or made available coincident with such public release.
ACTION
Q: OK, I'm interested and I think I qualify. What now?
A: If you received this message directly, then you are already on a mailing
list where subsequent notices will be sent, and you don't have to do
anything at this time. If you received this message indirectly by
"forwarding", then you should contact isc-info@isc.org and ask to be placed
on either the bind-users@isc.org or bind-announce@isc.org mailing list.
REACTION
Q: Why has there been such public outcry over this?
A: We call it the "whisper down the lane" effect. Most of the folks who read
the preannouncement notice for the bind-members Forum responded positively,
and several who misunderstood it and sought clarification were satisfied.
A vocal minority who misunderstood the announcement and/or disagreed with
the intent have been able to inflame considerable, but often mistaken,
public sentiment. With this FAQ we hope to dispel all such misconceptions.
Q: If I still think this is a really bad idea, who should I complain to?
A: isc-info@isc.org is ready at all times for any comments or questions.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic