a y Interview with Paul Vixie

The closed development model proposed by Vixie has already show that don't work. Since the protocol is widely known, I think that the best idea is to fork the bind source, audit the fork and release it. I think that lots of developers will remain with the free version, helping the development of the free version.
Just my $.01.

Although the subject line sums up my thoughts, well, a members only list will not make a difference and in reality even if it did that difference would be negligible *at best*.

Theo pretty much hit the nail on the head, bind4 and bind8 were pretty much bad (the exception of course being OpenBSD's patched version) anyway, ISC was too busy adding features when they finally took in the shorts.

There is an interesting side story to this, if anyone remembers well, vixie was badmouthing bind4 and 8 because of it's college roots and in a bad way. His proclomation (ispell?) was that bind9 which was written from scratch and co-funded by many parties (most of which were proprietary for sure) would be much better.

Well, whether or not that is true, I dunno. I tried it and was not really excited over it. But lets play another game, it is called you got cash from vendors and now you look like MUD (regardless of bind9's claims to fame, whatever they may be).

I can only imagine how much email he got, how many complaints from interested parties. This is a knee jerk reaction to bad pr and this is what happens when you, for lack of a better phrase, lay in bed with the wrong people.

This is why staying free and resisting proprietary parntnerships will be the bastion to the cornerstone (the cornerstone being security) of OpenBSD. It is free; no strings attached. I might also add that even when OpenBSD came under apparent fire for a large amount of string holes (read this: BUGS) awhile back - Theo and the rest of the OpenBSD gang (including users) handled it with grace.

IMHO if this action goes through, there should be a fork of the most secure version we know of, I am guessing that is 4 which ships. Or the worst case, someone spearheads a project somewhere to make a completely free dns server.

It is appropriate to give notification to the authors of a program before releasing exploit information to the wilds, correct? (For an example of this you can look at RFPolicy ).

Okay, so once someone has submitted a bug to ISC/Vixie, then what happens? (snide remarks aside). Ideally, ISC will fix the hole in bind and distribute fixes to their major "clients" (i.e. the root name servers). It would also be good to give all major distributions a heads up and some time to incorporate the patches and prepare advisories. It would then be good to synchronize the announcement of the security hole with the vendor security advisories.

It would seem to me to be entirely in accordance with the intent behind RFPolicy for developers of security-critical software to setup early warning lists that were closed to the public for coordination of activity in advance of the release of an exploit. From what I understand this is all that ISC is doing. Why is this a bad thing?

Yes, ISC will make some money off of this, but if it goes to support prompt fixing of holes in bind and to the security of the root nameservers, I think that's probably a good thing. And he's stated that the fees will probably be waved for organizations that are not-for=profit (and presumably open-source projects in the coding-without-pay sense).

Now I'm not about to defend either Paul Vixie, ISC or the bug-infested piece of shit which is bind8 in general -- but what's the big deal about this policy?