BIND 9.3 Released With Commercial Support

darthcamaro writes "Time for net admins to update BIND: version 9.3 has been released. internetnews.com has a story on it where they talk with Paul Vixie, the founder of BIND's keeper ISC. In it he details why after so many years BIND has finally decided to offer commercial support. 'Many of the companies who use our software free of charge have told us that their corporate risk management strategy requires them to have a bona fide support channel for all of their critical operations,' Vixie said. 'In other words we were told that having the best software wasn't good enough, and giving it away for free wasn't good enough, we also had to ensure that commercial support was available or they could be forced to switch to software they didn't like as well just to get support.' The full press release on the BIND 9.3 release is also available."

Wait till the next exploit,,,

[darkjedi521]

Wasn't at one time BIND the IIS of the unix world? This could open them up to a world of problems if/when the next exploit shows up.

Re:Wait till the next exploit,,,

[Rosco+P.+Coltrane]

I'm sorry, but who even uses BIND anymore? an article like that on 66.35.250.150 is truly News for Nerds...

Re:Wait till the next exploit,,,

[John+Starks]

Exploits are not uncommon in BIND, even today. Take a look at their security alert page, especially the matrix at the bottom. Security problems abound!

It's not clear why people continue to use BIND. It's probably because it's just assumed that it's the only thing out there. But everything from security to configuration is poorly done in BIND. I use tinydns (part of djbdns) instead on all my servers. It's written by Daniel Bernstein, the same guy that wrote qmail. He's got a great track record -- no security holes in any of his software, AND he backs up that assertion with a $1000 prize to anyone that finds such a hole. He makes a better case than I do for tinydns/qmail vs. BIND/sendmail than I ever could.

Re:Wait till the next exploit,,,

[Florian+Weimer]

Exploits are not uncommon in BIND, even today.

Critical exploits in BIND 9 still have to show up. The really nasty bug so far was actually in OpenSSL.

It's not clear why people continue to use BIND.

For the full resolver part, their are hardly any alternatives. If you need DNSSEC, your options besides BIND are even more limited.

tinydns is unusable for most people (who aren't masochists) because it doesn't conform to existing standards and parctice. Just speaking the DNS protocol is not enough, you also have to implement some of BIND's quirks, and more important: the software has to be maintained. DNS is still evolving, DJB's software is not. (Some of it doesn't even compile on modern, POSIX-conforming systems.)

Re:Wait till the next exploit,,,

[ectoraige]

It's not clear why people continue to use BIND.

I continue to use BIND because I don't like DJB's licence.

This is a simple reality in corporate use

[Martin+Blank]

No support, no sale.

I can understand it to a degree; there's no guarantee that the version installed today will not be completely dropped next month. It gets a little aggravating when it holds up an entire project, though, because of one small piece.

The upside, of course, is more funding for critical projects.

Re:This is a simple reality in corporate use

[Shakrai]

Many of these support contracts are really just the "Circuit City Extended Waranty" of the corporate world.

Have you ever known a PHB that didn't get the extended Circuit City warranty? That's what this is all about -- selling it to the PHBs of the World so we can go on using our OSS that we know works and even with the support contract is cheaper then the commercial alternative.

Re:This is a simple reality in corporate use

[NineNine]

It's not about whether it works or not. It's about being able to call somebody at 2:00AM when a critical machine goes down, as opposed to waiting for your Usenet post to get propogated, then hoping that l334G33k425 responds to your message in a timely manner and gives you the correct answer. Case in point... my retail businesses have a POS system that I paid for. Granted, there aren't any truly viable OSS ones out there yet, but assume there are. It's worth the money for me to be able to get someone on the phone 30 seconds after it crashes to get my business running again. Or if an employee fucks something up, I know that I can absolutely get someone on the phone who will eventually fix my problem. I don't care how good a competing OSS project is supposed to be: no software is perfect, and there absolutely, positively MUST be someone to fix it when the shit hits the fan (as it always does, eventually). When your rent & power bill & paycheck is on the line every day (as mine are), you don't fuck around. Period.

Re:This is a simple reality in corporate use

[Martin+Blank]

In my experience, it doesn't matter if support is 24/7 or three hours a day on odd days of the week every other month. So long as there's a support contract involved, that will get it in over something that has no formal support. I've seen companies buy one product over another solely because, while both are commercial software, one of them offers an option for a support contract and the other does not, whether or not the other one is paid support.

Where I'm at now, it's not uncommon to see support contracts for one product (and not anything from or as ubiquitous as Microsoft, either) reach a quarter of a million dollars a year or more. It's insane.

Re:This is a simple reality in corporate use

[jdray]

While I wouldn't have put it quite the way you did, I have to agree with you. If the OSS community keeps up the attitude that Shakrai puts forth, adoption into corporate datacenters and business areas will be slow and agonizing. As you said, people want assurances.

The upside is that companies are used to and willing to fork over large sums of cash for those assurances. So, if you love an OSS project enough to dedicate your life to it, then get to know it inside and out and start offering commercial support for it. If the product is stable, you never have to answer the phone. If you charge $500 per year for support, 100 customers makes for a tidy income. And, honestly, most midsize corporations wouldn't even blink at $500 per year for support on something that goes on a server, unless it was in astonishment at how cheap it was.

Finally

I've been waiting forever for them to get this resolved.

Good to see they're 'getting it'

[mgkimsal2]

Not specifically the BIND folks, but it's good to see that people are more and more waking up to this fact. Hopefully the fact that something is 'open source' and people are 'making money' from it won't be a newsworthy item in the near future.

What I think many programmers don't understand is that most people will often choose a so-so product from a well-run business over a better product from a poorly run business or organization. Having no guaranteed support mechanism for BIND (and other projects) does hurt adoption of those projects in many organizations. Option support is essentially the best of both worlds, as long as the prices aren't cost prohibitive. If pricing is too high, there's much less incentive to switch, because people will usually settle for 'good enough' when 'way better' costs a whole lot more.

<PHB>Who needs competent sysadmins?

[GypC]

We bought support. The god-like powers of software vendors are obviously much superior to those of anyone that would work for us, even if the source code is open. </PHB>

In technical terms...

[Rosco+P.+Coltrane]

"About every year or so they declare it complete, and then implementation begins and we discover that it's actually not complete," Vixie told

Given what Paul Vixie is famous for, I'd say the lines are:

0 0 1 1 * /bin/sh -c "echo it's complete"
5 0 1 1 * /bin/sh -c "echo nevermind..."

Todo

[T-Ranger]

1. Do a business name search on "BIND Support International".
2. Register it
3. Ditto for good domain name
4. Get letterhead printed
5. Randomly invoice big companies
6. ??
7. Profit!

Read your EULA please.

[Moderation+abuser]

Then come back and start telling us about the guarantees that you get. Oh, and have a look at your support contracts as well to see exactly you are guaranteed.

I think you'll find they amount to little more than "we'll do our best to support our l33t software".

You know what?

[Neil+Blender]

I really dig them root name servers.

NOT "Time for net admins to update"

[strabo]

I really hope that most net admins know better than to update until after the beta is over, and the release version comes out.

BIND 9.3.0 is not released yet. It is at beta 2, which was released two days ago.

Re:First Post?

[0racle]

Your going to need to learn how to read first. Bind for Windows NT/2000 binary and source, just a little down the page.

Re:Why is this a surprise?!

[operagost]

but I cringed when the launch screen came up with the usual "Not guaranteed for fitness or any purpose" or whatever.

Guess what? The Microsoft EULA (along with most other companies') says the same thing in other words. And you DO pay hordes of money for those without getting any real support, until you pay hordes more. Might as well get the right free product and buy competent support and save one horde.

How the BIND company makes money

[amacleod98]

D. J. Bernstein has a few things to say about this Also see here And here