Slashdot Mirror
Nominum Calls Open Source DNS "a Recipe For Problems"
Raindeer writes "Commercial DNS software provider Nominum, in an effort to promote its new cloud-based DNS service, SKYE, has slandered all open source/freeware DNS packages. It said: 'Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse. ... So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.' This has the DNS community fuming. Especially when you consider that Nominum was one of the companies affected by the DNS cache poisoning problem of last year, something PowerDNS, MaraDNS and DJBDNS (all open source) weren't vulnerable to."
... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
And, from TFA:
Reconcile THAT little gem with support for closed source software.
Does the word "cloud" have any particular meaning? Of course you should have multiple geographically and network diverse DNS servers. I run my master DNS on my own server, but my pay like $10 a year for my secondaries, which slave to the master. Under no circumstances will I ever give up control of my DNS, or use some shitty web app to manage my DNS records, and that's why I insist that the master (even if invisible) sit squarely on my end.
But then again, this has been the general recommendation for a couple of decades now, so I have no idea what "cloud computing" has to do with it. Offsite mirrors of critical data, DNS or otherwise, is simply sound practices.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I think its interesting that they are using the term freeware instead of open source or FOSS. In a lot of people's minds freeware is shit like bonzai buddy or comet cursor or whatever spyware-laden free software these execs always manager to get on their computers. They equate FOSS with badly written spyware and they keep using the term freeware in their quotes. Interesting. They must have Frank Lutz working for them.
Im sure a lot of execs find this message believable and are drafting up a 'no freeware' policy to only be diplomatically corrected by the IT dept later on.
Ironically, I have a hard time trusting non-FOSS freeware. I always wonder if Im getting a virus or a trojan and wondering why I havent been able to find an OSS alternative to closed source windows freeware/nagware programs. Paid for proprietary Im less worried about, but Im not paying for what I consider basic functionality like DNS.
Buy our service or the ManBearPig will catch you. We are more secure because you don't know how much insecure are us, but there was an specific case where the dns used by the vast majority of internet had a (fixed) vulnerability under special circunstances in certain moment.
In Win2003, the Microsoft DNS is a slightly modified version of BIND8 with a BSD licence. It is hidden in there somewhere under the wizards.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
That's why we have bloggers, right? Journalists are paid to copy-paste from press released, while bloggers derive their satisfaction from actually reading between the lines / further than the press release (that is, of course, generally speaking; there is at least some good investigative journalism left).
I just had a great example of this in my mailbox. A press release from a storage company announcing a new trade-in program; it's amazing how many websites just copy-pasted the cheerful announcement without mentioning they are facing a delisting from the NASDAQ or any other useful background info. Examples like this keep popping up, it makes you wonder about Murdoch's plans to charge for that "premium" content...
Remember: Payware isn't exactly the same as malware, but if they're asking for your credit card it's probably a scam.
-- The act of censorship is always worse than whatever is being censored. Always.
First, it's an interview. A lot of interviews tend to be one-sided. Especially on non-controversial issues, but the interviewer is obviously not aware of any potential controversy.
Second, it would be a good idea to post a comment there, and mail the interviewer and CC the editor. Let them know that they have essentially printed an advertisement, and that some alternative viewpoint would be in order, or at least questioning the claims.
Third, and most important, ZDNet is not known for investigative journalism. They will thank you for your message and that's about it. So the only good you can really do here is leave a comment, maybe pointing back to this discussion to see what knowledgeable people in the field think about the interview.
In what universe is chroot not a security measure?
It is not perfect security all by itself, but it is *a* security measure. It prevents several classes of local escalation attacks.
You may as well claim that BSD's jail, alternate namespaces and virtual machines are not a security measure. None of those are perfect, but every little bit helps.
If you've ever had the pleasure of actually seeing a quote from Nominum, you'll see why they're so down on 'freeware'.
Nominum's DNS software is extremely (and I mean VERY) expensive. For anyone. And I don't just mean it's hundreds or thousands of dollars. It's HUNDREDS _OF_ THOUSANDS of dollars for even a few licenses.
I suspect sales are down (in these uncertain economic times *cough*) so slandering the competition (errrmmm... how do you compete with free?) is apparently the current marketing strategy.
Happily, this interview/article makes me dislike them and their products even more than I already did.
"Oh yeah, those open source DNS servers are the lesser products" is either a liar or a moron.
Unless you are really selling a better product then the Open Source product is a lesser product.
Being as you admit that Bind is a pain in the ass. If one would create a product just as good as bind but with a nicer UI then it will be a superior product.
Or...
Depending on your point of view on what features you find important simpler apps my be superior to Bind because they may do what you want but without the hassle.
Don't be like RMS and pidgin hole people in nice little boxes of Smart and Stupid, Good and Evil. Because what will happen is the idiot will find a way to do something that will leave you in the dust.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
That answer just pisses me off.
If I have a secret way of blocking a hacker...
Right. That sounds like an awesome idea. How useful is that "secret" if the customer knows about it? It needs to be documented in that case, which means everyone knows about it, which means it's another attack surface. Plus, there must be a way of turning that feature back off.
If the customer doesn't know about it. It's only a matter of time before said hacker finds out about it, cause it will get out there. It also means that anyone who works (and worked for) said vendor can exploit that feature for their own purposes. The customer who paid for the software is just left out in the cold. Good job there. Sounds like an excellent reason to not use open code.
Well done Nominum...
dig nominum.com ns +short
ns3.nominum.com.
ns1.nominum.com.
ns2.nominum.net.
dig @ns2.nominum.net version.bind txt chaos +short
"9.3.5-P2"
Is it me, or does that not look like a bind version number (an old one, at that)
... are giving lectures about security but can't even configure properly their own webserver (notice the Notice). What a bunch of losers...
I had a client who wanted to use either DynDNS Enterprise or UltraDNS, and priced both out for them. When the UltraDNS sales dude called me to find out why they didn't win the business, I told them because DynDNS was $250/month (thousands of A records) and they wanted $3500/month. He said "Oh, I thought you were looking for enterprise-grade DNS services." I responded with an email, "What do you provide that they don't?". Never heard back. UltraDNS can go DIAF. Gougers like that belong with lawyers, at the bottom of the ocean.
While I disagree with the idea that open-source DNS servers are insecure (having written one myself), I can see why he wants to say bad things about Open-source DNS servers.
The bottom line is this: There is no money to be made with DNS. While DNS is something that is essential for the Internet, it's something that is completely free. Bert Hubert tried making money with DNS a few years ago with PowerDNS, but sales were so bad he threw in the towel and GPLd the code around 2002. BIND 9 was, as it turns out, funded with a combination of contributions from UNIX corporations and military funding (for DNSSEC) who wanted to update DNS, but the funding has dried up and the code is BSD-licensed. NSD and Unbound's development were funded with government grants.
DjbDNS was done as an independent project by Bernstein; he stopped working on it in 2001 and the code is really out of date (three unpatched security holes, outdated root servers list, etc). My own MaraDNS is still being actively developed, but at a glacial pace; between my girlfriend, my job, and my other interests, I often have to put it on the back burner.
So, yes, DNS is essential, but it's free and it's really hard to make money with it. Heck, it's hard to get enough goodwill and net-reputation from making a DNS server for me to get a well-paying job in the US working with computers again in today's depression-level tech economy (if you want to hire someone with the expertise to write a DNS server, my resume is online).
So, yeah, I can see why this person resorts to FUD and BS to try and get people to pay more money for DNS. But, the truth is that there are a lot of really good free and open-source DNS servers out there an no need to buy a commercial DNS server.
MaraDNS is an open-source DNS server.
security by obscurity = automatic EPIC FAIL.
I won't be using nominum services, even if there's a free version. That's a confession of incompetence.
Tech Public Policy stuff