2017 Retrospective

2017 was a good year for ISC!

Keeping an open source project funded, keeping any small non-profit going, is always a challenge, and we are grateful to have succeeded in doing that for another year. We finished 2017 feeling pretty stable and cautiously optimistic about our on-going projects and ISC’s future.

Highlights of 2017

• Staff changes: We hired a very capable new BIND developer, Michał Kępień, who came to us from NASK in the spring. Then in September we hired Ondřej Surý from CZNIC as our new Director of DNS Development. Tomek Mrugalski was promoted to Director of DHCP Development, responsible for both Kea and ISC DHCP. Stephen Morris is now leading QA and DNS Research. Fred Baker, member of ISC’s BOD for many years, became a part-time contractor and has taken on the role of ISC’s liaison to RSSAC.
• The BIND refactoring resulted in an incredible 5X performance improvement for glue-heavy authoritative applications. We also removed some obsolete features, ended support for WindowsXP and lwresd and generally ditched some legacy baggage. We implemented Serve Stale, protection against an outage like the massive DDOS that hit Dyn in October, 2016. IANA officially assigned port 953/tcp for BIND’s RNDC protocol.
• We opened ISC’s main bug database to guest users, in the process sponsoring some open source work by Best Practical. We published a free Resolver Check IOS application in the Apple Store, open sourced the ISC Perflab test software and published a NODE.js library for BIND’s RNDC interface.
• The DHCP team produced two Kea releases, adding a remote management API and support for shared networks. Our experiment with selling Kea premium hooks on the website was modestly successful, encouraging us to look at other low-cost offerings to sustain our DHCP work. In 2017, for the first time, kea-users mailing list activity outstripped discussion on DHCP-users. We developed ISC DHCP 4.4.0, which we believe will be our last major branch for this mature project, adding the shared library support that the OS packagers have been asking for and updating the DHCP client for the first time in a while.
• F-Root added 125 new nodes through an innovative new partnership with Cloudflare, improving response times for some users and further increasing resiliency. We instrumented F-Root for the new RSSAC02 statistics and began a rolling refresh of the traditional F-Root node hardware, using our new “F single” design. We replaced the DNSSEC Look-Aside Validator registry (DLV) with an empty zone, ending that “temporary&” service after 9 years. Meanwhile, we continued optimizing ISC’s extensive network to reduce costs, automating more of the F-Root management, and deployed Kea internally.

What DIDN’T happen

• We did some ambitious refactoring of BIND (in 9.12) and DIDN’T apparently break anything!
• We DIDN’T find any really bad security bugs in BIND (we published 8 CVEs, but they were generally applicable only to rare configurations).
• Although the random subdomain attacks and other standard DDOS attacks continued, our users DIDN’T see any new types of DNS attacks in 2017.
• ICANN DIDN’T roll the DNS root key. At ISC we spent a lot of time working to make sure that BIND users would not have a service interruption, but in the end ICANN decided to postpone the event, partly because data they had from some root key telemetry we added to BIND a year in advance.

Thank you

• Craigslist, Switch.CH and Alibaba Cloud made generous unsolicited donations to support our mission.
• Mozilla, Comcast and APNIC underwrote specific open source development projects for everyone’s benefit.
• We are also grateful to our many long-time support subscribers, who include some of the best network operators in the world, and who provide us with a stable funding base to maintain and evolve our open source.
• To all those who sent us patches or reported issues to us in 2017 – we really value these contributions as well, and we love hearing from you. Our top submitters for 2017 were: Tony Finch for BIND (he submitted and we reviewed and resolved an incredible 22 patches), Jiri Popelka for ISC DHCP, and Andrei Pavel for Kea.

We’re looking forward to 2018

• We have started using a lot more video in our team meetings. We all work remotely and we think it may help us enjoy meetings more, and improve teamwork. We will be looking for least two more new technical staff during 2018, a BIND developer and a Systems/Support Engineer. We are planning to launch a new forum, in part to help engage our more experienced users in creating some best practices advice for newer users.
• We are encouraged by our BIND refactoring so far and plan to continue the renewal. Right now we are working on the design for a BIND hooks interface, to enable extension modules. We are migrating our working BIND repository to Gitlab after we release 9.12, to make community collaboration easier and more transparent. A recent blog article outlined changes to the BIND release model we are implementing in 2018, including adding rapid development releases off of our working master branch. We are planning to start building our own packages for BIND and to release a Python module for RNDC.
• Our DHCP programs continue to operate at a loss, but we trust that our persistence will be rewarded in 2018, as we have had a surge of interest from users deploying Kea. The team is fully subscribed working on adding high-availability features and a supported Cassandra backend to Kea, and we are developing a configuration migration tool that will help people switch to Kea from ISC DHCP with minimum effort.

2017 measured