Ruben I Safir - Brooklyn Linux Solutions CEO ruben@mrbrklyn.com
Sun Feb 4 07:25:44 PST 2001

On Sun, 04 Feb 2001 01:32:01 Paul A Vixie wrote:


Q: Does this mean ISC's software will no longer be publically available?
A: NO.  ISC's software is published under a "BSD-style" license which allows
   full redistribution, in source or binary, embedded or not, modified or not,
   with or without fee.  This has not changed, and will not change, ever.

Q: Then are you effectively charging for access to patches which come out
   between major releases?
A: NO.  Patches will be distributed as before.  In fact, all access to ISC's
   software will continue as before.  The bind-members Forum adds a new class
   of access to ISC's personnel and sources, but subtracts nothing.

Q: So the bind-members Forum programme does not restrict or delay any access
   to which the industry has become accustomed?
A: Right.

Q: You mean this whole thing is just to _add_ a new level of access for the
   organizations ISC considers critical to the Internet's infrastructure.
A: Yes.


Q: What is the fee structure associated with participation in the bind-members
A: This is still under consideration.  An announcement will follow.  However,
   we anticipate a graduated fee schedule similar to the X Consortium's.

Q: This whole thing smacks of a money-making scheme to enhance ISC.
A: All fees collected under this programme will go to support ISC's mission,
   which since 1993 has been (from http://www.isc.org/):
	"The Internet Software Consortium (ISC) is a not-for-profit
	 corporation dedicated to developing and maintaining production
	 quality Open Source reference implementations of core Internet
   Anyone who feels that ISC spends money on things it shouldn't is welcome
   to approach any board member and share those concerns.  See our web page
   (http://www.isc.org/ISC/bod.html) to learn who those board members are.

Q: Has ISC decided to transform itself into a for-profit members-only club?
A: NO.  ISC's mission, and its not-for-profit status, has not changed.


Q: Does this mean ISC and CERT are parting ways?
A: Not at all.  CERT has been ISC's partner in the discovery and publication
   of critical bugs in BIND and other software ever since ISC was founded,
   and ISC anticipates continuing this relationship in the foreseeable future.

Q: Will vendors receive bind-members notice of new bugs before they receive
   notice from CERT?
A: That will be up to CERT.  If they decide that the bind-members Forum is an
   acceptable notification method then they may choose to depend on it for
   their own vendor notices concerning BIND bugs.  In any case, ISC will
   CERT of any critical bugs we discover before bind-members hears about them.

Q: It's been said that CERT is too conservative about bug notifications, and
   that by the time they publish their vulnerability notices, everybody pretty
   much already knows what's going to be in it.
A: That has not been ISC's experience.  In any case, ISC recognizes CERT as
   the industry's chosen agent for this type of notification, and recommends
   that anyone who is dissatisfied with CERT's policies discuss those policies
   directly with CERT.

Q: What's the difference between what OS vendors heard directly from CERT
   before the bind-members Forum was created, and what they will hear now?
A: In the past, OS vendors heard that there was a bug and that ISC would be
   releasing a patch to its latest releases, and if they needed any specific
   help they should contact ISC directly.  The bind-members Forum was created
   to formalize and facilitate that contact.

Q: What about critical bugs which are of no interest to CERT?
A: It's likely that such bugs would be discussed on bind-workers@isc.org, just
   as they have been for some years now.


Q: Why doesn't ISC just open its CVS repository to the world and let
   everyone find out about new bugs at the same time?
A: Because some parts of the Internet's infrastructure are harder to upgrade
   than others, and ISC believes in coordinated announcements.  If we opened
   our CVS repository then the "black hats" and "white hats" would learn of
   problems at the same instant.  The "white hats" have more work to do
   (preparing customer notifications and patches, and in some cases burning
   CDROMs) than the "black hats" (just load the script-kiddieware and go).

Q: What if the "black hats" release their notice before ISC or the "white
   know what's going on?
A: That happens sometimes.  When it does, it's most unfortunate for the "white
   hats" and we catch up as quickly as we can.  But if, as happens frequently,
   a critical bug is discovered during a source code audit, then ISC believes
   that it's in the best interests of the Internet infrastructure to get the 
   patch into restricted distribution _before_ any general notices are sent.

Q: What about customer responsibility?  If a fee-paying participant in the
   bind-members Forum learns of a critical bug, aren't they contractually
   bound to tell their own customers about it no matter what NDA they signed?
A: Every participant has to weigh that for themselves.  It is expected that
   the period between the discovery and publication of a critical bug will be
   limited by practicality to a short few days, and that a prospective
   participant would see it as being in their customers' best interests to
   cooperate with such a delay.

Q: If OS vendors are already hearing notice from CERT, then what will the
   bind-members Forum really change?
A: Every participant in the bind-members Forum will undergo security training
   and will be required to learn and to use PGP or S/MIME when discussing
   things they learn from the bind-members Forum.  They will also agree to
   avoid general internal discussion of things they learn from the Forum.

Q: How will ISC enforce this NDA?
A: By definition, undetected NDA violations are of no concern to anybody.  If
   ISC detects a violation, then we reserve the right to terminate the
   violator's participation in the bind-members Forum.

Q: Can you give an example of a possible violation of this NDA?
A: Sending mail to ISC in clear text (that is, without any encryption) which
   includes or references information which was learned via the bind-members
   Forum and which has not been published elsewhere could be considered a
   violation of the NDA.

Q: What if part of my organization qualifies (let's say we serve a TLD) and
   another part does not (let's say we serve a lot of non-TLD's) -- would we
   be required to segregate our zones and only upgrade the "qualified" server?
A: No, you can run a single server if you want.  But the person who upgrades
   that server will not be able to do so from an organization-wide source
   or tell their coworkers what's being done, or why.

Q: The proposed "bind-members Forum" system only obscures that a problem
   exists which means that far more systems would be compromised by people
   with bad intensions.
A: That would be true if we were proposing any additional delay before the
   public (CERT-driven) announcement.  We're not.  This is just a change to
   the way early notice to vendors and operators of critical servers is done.


Q: None of this would be necessary if BIND weren't so full of security holes!
A: History has shown that most large projects have bugs, and that some of
   these bugs will be security related or otherwise critical.  BIND has had
   its share of bugs, including critical ones.  Because ISC lacks the hubris
   needed to announce that there will never be another security-related or
   otherwise critical bug in BIND, and because BIND is used on 90% of the
   world's name servers including the root and TLD servers, we are formalizing
   the way we will handle any future bugs which are found.

Q: Other DNS software publishers promise 0 defects and even offer rewards.
   Why can't ISC seem to compete at the quality game?
A: If someone else's DNS software ever runs on 80% of the Internet's name
   servers and is shipped in source form that can run on a dozen or more
   architectures, ISC will certainly feel that we have much to learn from
   the authors of that software.

Q: What's the long term plan?  Are you going to invest any of the fees from
   this project in some QA?  (Ha ha ha.)
A: We've spent more than $2.5M on BIND9, which is a complete rewrite, and
   took a dozen senior or supersenior DNS software experts over two years to
   complete.  BIND9 is our long term plan.  Check it out at...
   ...especially if you like to read clean elegant modular auditable source.


Q: Don't root and TLD server operators already receive early notice of bugs?
A: Root server operators do, since ISC operates a root name server and we
   therefore know how to securely notify the other root server operators.
   TLD server operators historically relied on public notifications from CERT.
   The bind-members Forum will provide a secure communications path for root
   and TLD server operators to learn about severe bugs early enough to
   their upgrades before those bugs are common knowledge.

Q: Why are the root and TLD operators "special" in this way?  Shouldn't all
   name server operators, regardless of what zones they handle, have access
   to the same information at the same time?
A: Root and TLD servers enable the Internet to function.  There is no resource
   that is more critical in the information age, except perhaps electric
   If any of these servers were ever to be nefariously corrupted, the impact
   could be felt for many years following.

Q: I'm outraged to learn that root server operators and CERT's vendor contacts
   have been getting early notice of bugs and that you're now expanding this 
   program to TLD server operators and forging even closer ties to the
   How long has this been going on?
A: Since at least 1993 when ISC was first incorporated.

Q: What about SLD's that are effectively regional TLD's, like COM.UK?
A: If you run a server which, though an SLD, is "like .COM or .NET" but on
   a country-level basis rather than a worldwide basis, you probably qualify.

Q: What about RiR's?
A: If you operate a server for the first octet under IN-ADDR.ARPA, then you
   qualify for the bind-members Forum since those servers are considered by
   ISC to be part of the Internet's infrastructure.


Q: Why should anybody have to pay ISC to receive critical bug notifications?
A: They don't.  These notifications will continue to come from CERT, who does
   not charge any fees for notices of vulnerabilities.

Q: I mean, why should anybody have to pay ISC for the right to discuss these
   bugs with ISC and in some cases have private access to ISC's source pool?
A: Because ISC is a not-for-profit corporation, and any programme of this kind
   must be financially self-supporting.  ISC's costs will include legal fees,
   contract administration, release and software engineering, and system
   administration (CVS, mailing lists, etc).

Q: So what happens if the participants of the bind-members Forum decide that
   they would rather notify their customers ONLY, and they try to block ISC
   and/or CERT from public disclosure, to try to gain competitive advantage?
A: This seems unlikely, but if this were to come to pass, ISC would have no
   choice but to exercise its contractual right to terminate the bind-members
   Forum and we'd just go back to publishing patches in conjunction with CERT.


Q: I'm an enterprise who uses BIND in production.  Do I need to join the
   bind-members Forum?
A: Not if you subscribe to the CERT mailing list.  As an enterprise member,
   you would only be eligible for early notifications of critical bugs if
   you operate a root or TLD server.  You can join, as a way to support the
   ISC in general and this programme in particular, and if you join then you
   will receive from ISC a copy of every BIND-related notice CERT sends out.
   But from a practical standpoint you could get the same thing by just
   subscribing to the CERT mailing list.

Q: But my enterprise serves millions of customers worldwide, and a DNS outage
   which is due to an attack you could have helped us prevent would place ISC
   in absolutely grave liability for my losses.
A: We appreciate your position, and we know that your vendors, and CERT,
   also understand the importance of getting enterprise-critical servers
   upgraded at the earliest practical moment.  However, the root and TLD
   servers _will_ be done first, since without those, no other servers
   would be reachable at all.

Q: I'm an *SP or registrar who uses BIND in production and I serve 100,000
   customer zones.  Can I join the bind-members Forum and get early notice
   of critical bugs?
A: Only if some of those 100,000 zones are TLD's or the root itself.  See
   above.  ISC would happily count you as an institutional member and send
   you copies of CERT's BIND-related advisories, but even with 100,000 zones
   you don't fit ISC's definition of "the Internet's infrastructure."  Sorry.

Q: I'm an *SP who uses BIND in production and I serve 1,000,000 customer
   zones, or a portal who uses BIND and has 1,000,000 or more distinct
   eyeballs per day, or a defaultless *SP doing business in 10 countries.
   What's my position with respect to bind-members Forum?
A: You may qualify.  Contact ISC.

Q: I'm a research lab involved in intrusions and intrusion detection.  Is
   there any benefit to participating in the bind-members Forum?
A: Nope.  CERT will fully disclose any critical bugs, and ISC's patches
   will be publically available.  At ISC's discretion, an exemption can be
   made if you're one of the research labs who audits source code and helps
   to preserve the Internet's infrastructure by cooperating in restricted
   disclosure of what you find.  Contact ISC.

Q: I'm a software supplier and I include BIND in my product.  Should I join?
A: Almost certainly.  ISC considers it essential that your customers be able
   to install a patch or new version on the same day CERT publishes its
   vulnerability notice.  This means you will need a bit of a head start.
   However, you will have to agree to a strong NDA that prevents you from
   telling your supported customers about a problem until ISC gives the OK.
   This may be a conflict of interest for you, and we recommend that you have
   your lawyers look over the NDA when you get it.

Q: I'm part of the U.S. DoD, FBI, or other security-related agency.  What's
   my agency's eligibility?
A: Absolutely certain, though perhaps indirectly though another agency.

Q: This seems unfair.  Why does ISC get to decide who gets early access?
A: Because http://www.isc.org/ says...
	"The Internet Software Consortium (ISC) is a not-for-profit
	 corporation dedicated to developing and maintaining production
	 quality Open Source reference implementations of core Internet
   ...and we take that mission very seriously.


Q: I'm a support customer of ISC.  Does this entitle me to early access to
   critical bug notifications?
A: Not directly, no.  But if you qualify under some other provision (for
   example if you are also a TLD server operator) then your fees could be
   waived.  Contact ISC.

Q: I'm a support customer of a BIND vendor or ISC contractor.  What about me?
A: Your support vendor will likely participate in the bind-members Forum, and
   as such you would be notified of critical bugs as soon as ISC and CERT
   release the information, and it's likely that a patch would be installed
   or made available coincident with such public release.


Q: OK, I'm interested and I think I qualify.  What now?
A: If you received this message directly, then you are already on a mailing
   list where subsequent notices will be sent, and you don't have to do
   anything at this time.  If you received this message indirectly by
   "forwarding", then you should contact isc-info@isc.org and ask to be placed
   on either the bind-users@isc.org or bind-announce@isc.org mailing list.


Q: Why has there been such public outcry over this?
A: We call it the "whisper down the lane" effect.  Most of the folks who read
   the preannouncement notice for the bind-members Forum responded positively,
   and several who misunderstood it and sought clarification were satisfied.
   A vocal minority who misunderstood the announcement and/or disagreed with
   the intent have been able to inflame considerable, but often mistaken,
   public sentiment.  With this FAQ we hope to dispel all such misconceptions.

Q: If I still think this is a really bad idea, who should I complain to?
A: isc-info@isc.org is ready at all times for any comments or questions.

More information about the linux-elitists mailing list