DNS/BIND Canards, Redux
In this interview we see yet another attempt by a technology executive to discredit all roads that do not lead to their products and services. Since in this case the creative pot shots are aimed at my company's products and services, and since this is far from the first time these canards have been trotted out, I've decided to respond for the record.
[DNS] is an industry that has seen very little innovation.
This is false by inspection. The DNS industry innovates both on the wire with protocol extensions such as dynamic updates, transaction signatures, real time change notification, incremental zone transfers, and data authenticity -- to name just a few of the dozens of protocol extensions defined by the IETF in the years since DNS was first defined, and off the wire with implementation improvements in areas such as performance, usability, and correctness, and with transparent on the wire changes in operational practice such as load balancing and global anycast.
...unfortunately, this has resulted in [BIND] being the most commonly exploited DNS server.
I think that since BIND has an 85% market share, it's natural that we'd be the most commonly attacked DNS server. Fortunately our source code is open and we have a software auditing team of planetary proportions. My own experience with software has been that software with a smaller market size has the same bug count (per million lines of code) as software with a larger market size, and that proprietary software without constant public inspection has a much higher bug count than open source software.
Many of the distributed DoS attacks that knock nameservers offline are related to inherent weaknesses in BIND's technology.
Can you provide a live repeatable example, even one, among the "many" you are claiming here?
Unless your company proactively stays on top of all the latest BIND news, you're vulnerable.
How is this different from any other software an enterprise might run, such as Windows or Mac/OS or Oracle or Linux? It seems to me that the choice to outsource one's operations should (and will) be made on a cost:benefit basis or on a philosophic basis, but not based on FUD.
We have many enterprises and service providers as customers of ISC's paid support services for BIND, and also our consulting, training, and software enhancement services. These customers range in size from SME to the Fortune 500, and they've determined that in-house open source fits their business plans and corporate philosophies. Please don't imply that they are idiots just because they don't subscribe to your business model.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC