PRE-ANNOUNCEMENT: BIND-Members Forum

James Raftery james-bind-users at now.ie
Thu Feb 1 14:24:02 UTC 2001 

On Wed, Jan 31, 2001 at 10:44:46PM -0500, Brooklyn Linux Solutions CEO wrote:
> This is complete and utter non-sense.  
> When a vurnbaility becomes known it's important for EVERYONE to
> know about it and the remady....not just a select few 

Yes. But before it is 'known' who gets told? I'm not being flippant --
that is the core question.
Let's examine a likely course of events surrounding the recent 
announcement.

COVERT finds bugs. COVERT now know. Presumably they tell ISC. COVERT and
ISC now know. ISC tell CERT. COVERT and ISC and CERT now know.
At this point the bugs are still 'secret' but three parties know about
them. What's more I think that's quite reasonable that only those three
parties know at this stage.

Before CERT released the advisory the operators of the root servers were
given 8.2.3 for the root servers. This is quite reasonable. The plan
seems to call for extending that to TLD nameserver operators (equally
reasonable, IMO) and vendors who release products based on BIND. This
avoids the nasty situation of publishing information about a
vulnerability without fixed software available from vendors. This is how
things work even now (see B8 and B9 at
http://www.cert.org/faq/cert_faq.html#B8). The proposal looks to have
the ISC perform vendor/operator liason in place of CERT. The concept is
one I support. The devil, as they say, is in the detail.

Firstly, I should declare my bias; I am contracted to a TLD registry
though I am speaking for myself.

Fee based? Risks creating a 'them and us' impression. I also feel it
dents the credability of the scheme. It's almost "give us cash or 
else...". Further, there are many, many ccTLD operators who don't have
any money to speak of. Seriously. Many don't charge their clients and so
have no income. Paying anything other than a nominal fee would be quite
difficult for such organisations.
If fees are levied, please have the constituent parts of the fee 
clearly broken down and publicly available so that it can be shown to be
for legimate cost recovery only.

Most ccTLDs are served to some degree by servers not administered by
the TLD registry itself. They may be run by a commercial ISP or some
community-minded organisation such as RIPE. I would hope that the scheme
would allow for these other bodies who are not TLD registries
themselves but run TLD servers to be notified. The NDA should take this
into account. If the ISC doesn't want to deal directly with third
parties perhaps the TLD operators could act as a middle-man. Either way
any given TLD cannot be considered protected until all its servers are
upgraded - no matter who runs the servers.

Accepting members based on discretion could easily be used to further
the 'them and us' position. The scheme would be tarnished by looking
like a private club for some kind of elite. Membership should be based
on clear, simple criteria. If the criteria disbarr membership of some
organisation then the criteria should be changed -- there should be no
discretion involved. You'll just be accused of using it improperly.


Regards,

james
-- 
James Raftery (JBR54)
  "It's somewhere in the Red Hat district"  --  A network engineer's
   freudian slip when talking about Amsterdam's nightlife at RIPE 38.

More information about the bind-users mailing list