BIND Security Info For "Members Only"?

achurch writes: "Paul Vixie has posted a message to bind-announce suggesting the formation of a "members-only" security information list for BIND, the DNS server used on most Internet systems. Membership would be limited to root/TLD nameserver operators, software vendors using BIND, and 'other qualified parties,' and members would have to sign 'strong nondisclosure agreements.'" I'm not sure how I feel about this, but I'm sure a lot of readers do.

I can kinda understand

[macdaddy]

They see bugs being exploited in mass causing huge problems for the Internet world at large and they want to minimize the number of people that here about the bugs before they're fixed. Understandable. I don't think security through temporary obscrutiny is the way to go though. My $.02.

BTW, first?

--

Re:I can kinda understand

[msuzio]

I think the biggest problem here is that BIND is *so* widespread (maybe even more so than sendmail?), when a bug breaks, it is immediately a major exploit waiting to happen.
When the latest BIND 4/8 bugs hit, people were reporting attempts to exploit the bug almost immediately. That's really bad.

So, is it OK to do this in an attempt to give the good guys a jump on the bad guys? Maybe. I'm very leery of any circumstance where bugs are actively hidden. I do believe that disclosure is key in any security situation. That having been said, I don't think that a closed list which agrees to discuss bugs locally before full disclosure is all bad.

Re:I can kinda understand

[MartinG]

So what do you say to the ppl whose boxes are exploited in the meantime?

BIND user: My box was exploited because of a buffer overflow bug that we didn't know existed.

BIND bug ppl: Ah yes, we knew about that but we didn't tell anyone in case script kids heard about it.

BIND user: Great. Now all our top secret info had been stolen and it could have been prevented. If you made the bug public then WE could have decided what was best, and possibly taken the machine(s) offline until there is a fix.

Think of it this way. If it was discovered that there was a really easy way of unlocking all existing house doors, would you want that information hiding temporarily in case criminals learned about it or would you want to know so you could at least have a chance to board up the doors if you thought it was neccesary. Making the expolit information available to all admins (regardless of whether the hax0rz also know) puts the admins in control which is the right thing to do.

Also, the problem with this stupid idea of limiting information spread is that it assumes the script kids are more on the ball than the admins. If that _is_ true, then _that_ is the problem that needs solving because in the end a poorly administered box will always be cracked however slowly or quickly you get the exploit info out.

This actually isn't a bad idea

[jayfoo2]

I'm a big fan of full disclosure of security issues, but this isn't an alltogether bad idea. If only because of the criticallity of BIND. If we could provide TLD admins with a little (note a little) warning before exploits were announced it would greatly lessen the chance of a script kiddie doing serious damage. However, the information must be then made public, so other administrators can stay informed. I would support giving TLD admins a head start. I would not support giving them an opportunity to try to rely on security through obscurity.

members only is one thing, but fee-based??

[lupa]

i can understand why they would want to close the list of announcements of security flaws - it would make sense in terms of protecting their users from people who would take the information and abuse it.

but what's the point in making it cost money? Paul Vixie states "Recent events have very clearly shown that there is a need for a fee-based membership forum" but there's no description of said events, or explanation of any sort. haven't the vendors and name server operators already invested enough in BIND, without making the security information cost more?

can someone else explain the purpose of the fee to me?

My response....

[jalbro]

I'm on the bind-users mailing list, and here are some of my comments:

Date: Wed, 31 Jan 2001 20:39:35 -0500 (EST)
From: Jeffrey C. Albro
To: bind-users@isc.org
Subject: Re: PRE-ANNOUNCEMENT: BIND-Members Forum

On Wed, 31 Jan 2001, Cricket Liu wrote:
> > This is not an open source but a full/partial disclosure issue.
>
> No, it's not. No one is arguing that the vulnerabilities shouldn't
> be disclosed and disclosed fully. The question is when.

I agree. However, the "when" part needs to be laid out MUCH more
clearly. If a vulnerability is found on the first of the month, and the
main bind tree is patched by the seventh of the month, how long do you
wait for vendors to patch their (assuming they have forked to some
extent) version? To the 14th of the month? How long will a viable fix of
the main source tree be held in secret?

> Surely you can understand the need to patch critical pieces of
> infrastructure such as the root, gTLD and ccTLD name servers
> and to prepare patched binaries of BIND for various operating
> systems before the vulnerability becomes widely known.

Of course. But how long do you give downstream developers? Do you give
them N days, and when N+1 appears will the forum embarrass paying members
of your group? If everyone signs an NDA, no-one can squeal. Can a time
limit be put on the NDAs?

I believe this idea can help solve security problems faster, with less
advertisement of the exploit, but steps need to be taken to make sure that
is actually what happens.

How is the conflict of interest solved?

-Jeff

>
> cricket
>
>
>

Won't help the "general user", at least not a lot

[mdb31]

You're reading this wrong: Vixie is proposing to form this 'support group' in response to criticism that only the root and some TLD server operators were notified in advance about the latest BIND emergency fix release. A lot of people were asking "why weren't we told in advance about these bugs, and this is the answer. This proposed group (now with public membership rules instead of a "secret handshake") would know about new BIND emergency maintenance releases a few days/weeks before they would be generally available, allowing them to safely upgrade.

This is not about doing away with full disclosure: merely delaying it to make sure that critical parts of the Internet infrastructure can't be easily brought down by K3WL RAD SCR1PT K1DD13S. For "regular" users, this won't make a difference: even if they receive advance notification (say, 1 or 2 days), as soon as the new version hits the FTP server, every "hacker" idiot will be out there diffing the new version against the old and finding the security flaws

Exploits will still be on Bugtraq in a few hours, and the usual legions of K3WL RAD SCR1PT K1DD13 L00SERS will be on your servers anyway soon after that. The proposed group would just make sure the really important servers are difficult to exploit and that your vendor might have a fixed version available at the same time the new general BIND (in source format...) is.

I don't feel great about this, but only because I'm asking myself what happened to the Internet where users used to care, not mindlessly destroy each other's networks...

It makes some sense

[dubl-u]

I don't think security through temporary obscrutiny [sic] is the way to go though.

Giving vendors a little jump on the crackers makes some sense. When a bug is announced, it's nice to have patches ready, too, and a whole mess of people ship BIND.

I'd be worried, though, that this would allow coverups; to prevent that from the start, they should make the mailing list archives automatically available after, say, 30 days.

Information control is usually harmful in the long run, but it can be helpful in the short run.

We became BIND-free, and love it.

[SgtAaron]

It's an amazing coincidence that I was in the process of ridding our network of BIND forever when I saw Paul Vixie post to NANOG. That was last Friday evening, three days before I saw anything about this on Bugtraq.

Just last week I had decided that BIND was just too much of a hog, and the past security issues always nagged at me. I got rid of Sendmaul three years ago for the same reasons and switched our mail servers to qmail; this time I decided again to use djb's software and did the work of installing djbdns, a pretty lightweight name server that does everything I need it to do.

Some of the things I have started to like about djbdns:

• Easily-parsible data file format
• Fast and lightweight, you can set it to use little memory and it will still work fine (my last day using BIND it had sucked 50MB of RAM)
• It's secure! While still remaining skeptical, and no matter what you think of djb, he writes damn secure code
• Return different answers depending on where the question came from; i.e. internal and external ip addresses get a different (or none) answer when looking for foo.example.com. (did bind do this? not sure)

The easily-parsible data file format allows me to keep our DNS data in a mysql database and write tools to manage things easier--via the web, command-line, whatever. I would hate to have to hack together something to read/write bind's zone files (perhaps there is a tool already, I don't know off-hand, but I don't care any more ;-). It's nice to be running a piece of software that I know will not enable the script kiddie next door access to my network.

Even though I know BIND 9 is supposed to be completely different, it still does not engender my trust enough to use it any longer.