ISC Retrospective on 2014 Open Source work

Most of our work at ISC falls into one of two major project categories: open source development and network services. We will review our 2014 accomplishments in network services in a separate post.

In 2014 we did a solid job of maintaining our primary open source projects, BIND 9 and ISC DHCP.  We fixed more bugs in 2014 than were discovered or reported in 2014 even while we dedicated a lot of resources to addressing the resolver DDOS problem and maintaining our support for standards development.

 

BIND 9

BIND is the industry reference implementation of the DNS protocols and a significant open source program at ISC.  In 2014 we made the difficult decision to cancel work on BIND10, and re-focus on BIND 9. We have continued maintenance of BIND 9 and added a new feature branch. In 2015 we hope to add more resources to the BIND 9 program, improve our test coverage and bring out another new feature branch, 18 months after the previous one.

Major accomplishments in 2014

  • Released 9.8.7 & 9.8.8, 9.9.5 & 9.9.6, 9.10.0 & 9.10.1.
  • Declared EOL for BIND 9.6 in January 2014 and for BIND 9.8 in December 2014.
  • We added 24 new articles about BIND in our knowledge base (kb.isc.org)
  • We posted an open BIND git repository
  • We released the beta version of a new BIND DNSSEC Guide

Maintenance

RESOLVED 575 issues in 2014, (not counting those opened before 1/1/2011)*
OPENED 557 new issues in our bug tracker

  • We made a special effort to review and accept more contributed patches. In 2014, we accepted integrated and released at least 35 contributed patches.
  • Created special Windows-releases for: 9.6 , 9.8.7 & 9.9.5, fixing a bug that prevented dig and nslookup from exiting properly when run on MS Windows systems.
  • Issued 4 –p sets of security releases.
  • We made an average of 2.6 commits per DAY to the BIND master branch
  • We use the Coverity open source scanning program extensively. BIND is showing an incredibly low defect density of 0.01, with 329,951 lines of code scanned.  We added the Coverity badges that track the current status to our BIND and DHCP pages on the ISC web site, so the information is readily available.

Security

The Heartbleed vulnerability discovered in OpenSSL had a big impact on the IT community, but did not impact BIND specifically.

We issued 5 CVEs, 3 of which were specific to 9.10:

  1. CVE-2014-0591: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
  2. CVE-2014-3214 A Defect in Prefetch Can Cause Recursive Servers to Crash (Affects recursive servers running BIND 9.10 only.)
  3. CVE-2014-3859: BIND named can crash due to a defect in EDNS printing processing (Affects BIND 9.10 only)
  4. CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND (Affects recursive servers only.)
  5. CVE-2014-8680: Defects in GeoIP features can cause BIND to crash (Affects BIND 9.10 only)

Codenomicon ran some packet fuzzing test runs on BIND 9.10 for us in the summer of 2014. They ran millions of test cases, and found a vulnerability in “dig” which, on closer inspection, revealed a “packet of death” vulnerability in BIND 9.10.0. ISC issued an operational advisory explaining how to build BIND with gcc 4.9 to avoid the problem.

 

New feature development

  • Launched BIND 9.10, with a new faster “map” format for zone files, pre-fetch, cookies, shared views and new statistics formatting.
  • Developed per-zone fetches, per-server fetches, and a hold-down timer for DDoS mitigation, which we trialed in our experimental service-provider branch
  • Implemented negative trust anchor to ease deployment of DNSSEC validation, also available now in our premium subscription branch, coming in 2015 to the open source 9.11 release
  • Implemented client-subnet-ID for authoritative service and began working on a design and project plan for full client-subnet-ID that will require external funding in 2015.

 Contributions to DNS standards

ISC engineers invest considerable time and effort working on proposals for Internet standards. Below is a list of documents in process that are ISC staff are writing or co-authoring.

ISC DHCP

ISC DHCP is distributed with most open-source operating systems and is incorporated into many commercial DDI/IPAM applications, as well as embedded devices. The software is mature and full-featured, but challenging to maintain. We are proud to have completed another year of aggressive maintenance, and to have released another feature branch. We added a new developer to the project in 2014. In 2015 we are hoping to taper off our work on ISC DHCP and focus more on Kea, the next generation DHCP server from ISC.

Major accomplishments in 2014

  • Released 4.1-ESVR9 & -R10, 4.2.6 & 4.2.7, 4.3.0 & 4.3.1
  • Extended the date for End of Life for DHCP 4.1 another year (planned for December 2014, extended until December 2015)
  • We created an open ISC DHCP git repository
  • We accepted at least 11 contributed patches
  • Added 12 new KB articles about ISC DHCP in our knowledgebase (kb.isc.org)

Maintenance

RESOLVED 167 issues in 2014 (not counting those opened before 1/1/2009)**
OPENED 133 new issues in our bug tracker

We use the Coverity free scanning program for open source programs, and starting in April, 2014, we made it a priority to address our outstanding Coverity errors in the DHCP project. Since then we have reversed the trend, and right now we have a Coverity defect density of 0.09, which is excellent.

We determined that our DHCP client script could be a vector for the Shellshock BASH vulnerability discovered in 2014. We communicated with the operating system packagers (who create these client scripts) about this possibility.

New Feature Development

We launched ISC DHCP 4.3.0, which we called our IPv6 ‘uplift’ release. This release added more feature support for IPv6, including access to relay options, on-expiry/on-renew features, and class support. It also added OMAPI subclass control, and implemented the newer standardized DHCID resource record format.

In addition to the 4.3.0 feature release, we added 12 minor features requested by users in releases 4.3.1 and 4.3.2, with selective backporting to earlier releases.

 

Kea

Kea is our under-development next-generation DHCP server, intended to eventually replace the ISC DHCP server. Kea is a server only, and does not currently include a client or relay. Kea is intended to be more easily extended than ISC DHCP, and is designed for dynamic reconfiguration. We are encouraged by the interest in contributing to and deploying Kea that we have seen from the community in 2014. We plan to continue new feature development in 2015, making Kea suitable for datacenter or public wifi deployments.

Major accomplishments in 2014

  • Released Kea 0.9, which separated Kea from the BIND10 framework, making it a working standalone application. We also removed the dependency on Python and Botan.
  • Began working on Kea 0.91, which is being developed in the open at kea.isc.org
  • We established a set of Kea interest mailing lists, which you can sign up for on the ISC Mailman page
  • We continued our partnership with GDANSK university, holding a hackathon there, and proposing several masters and PHD thesis projects.
  • We opened a site on GITHUB to accept contributions.
  • We have accepted patches from the following: RedHat, CapGemini, CERN, Facebook and 2 universities, Gdansk University and Silesian University.

 

ISC contributions to DHC standards development

ISC engineers invest considerable time and effort working on proposals for Internet standards. Among the more notable efforts in 2014 are the work on the DHCP proposals RFC3315bis, and the two DHCP privacy drafts. In addition to working on drafts, ISC Senior Software Engineer Tomasz Mrugalski co-chaired the IETF DHC working group in 2014.

  • RFC 7227 Guidelines for Creating New DHCPv6 Options: D. Hankins, T. Mrugalski, M. Siodelski, S. Jiang, S. Krishnan
  • RFC 7431 DHCPv4-over-DHCPv6 (DHCP 4o6) Transport: Q. Sun, Y. Cui, M. Siodelski, S. Krishnan, I. Farrer

 

Major Changes to Projects

  • We released version 1.2 of BIND 10, ended the BIND 10 development project at ISC, renamed the BIND 10 components as Bundy, and released control of the source to be managed by the Bundy project, which has put it up on GitHub.
  • We jettisoned the DNS-Co branding which had come to symbolize aggressive commercialization.
  • We wrapped up the Open Home Gateway Forum, funded by Comcast.
  • We removed all restrictions on our knowledge base and on our duplicate git repositories for BIND and ISC DHCP, so these resources are all free and open to anyone. Previously we reserved some access for subscribers only.

ISC conference presentations

In addition, we held 2 webinars and organized a meeting about DNS resolver DDOS mitigation measures at the 90th IETF in Toronto.

———-

* Date chosen to represent ‘current applicable issues’. We released BIND 9.9.0 in February, 2011

** Date chosen to represent ‘current applicable issues’.  We released ISC DHCP 4.1.0 in December, 2008

1 Comment

  1. Corey Donovan April 26, 2015

    Congratulations on another great year! While tabling plans for BIND 10 had to be tough, hardening BIND 9 and splitting out KEA server seems like the best move. We’ve heard from a number of people excited about the future of KEA in the data center and it’s development to eventually replace ISC DHCP. Thanks for everyone’s hard work at ISC!

Leave a reply

Last modified: May 28, 2015 at 11:49 am