BIND 9.3 Offers More Security, Support

By Sean Michael Kerner (Send Email)
Posted Apr 23, 2004


In a move to address corporate risk management rules for critical operations, the Internet Systems Consortium (ISC) is offering a range of commercial support for its open source Domain Name Server tool BIND as part of new security features in the latest version of BIND 9.3. The latest release of the open source DNS tool includes customer support to address enterprises' risk management rules.

BIND, an acronym that stands for Berkeley Internet Name Domain, is an open source implementation of the DNS protocol and is in use in more than 75 percent of the nameservers on the Internet.

DNS, and BIND in particular, has been the target of frequent attacks in recent years. The new version hopes to address this with the addition of numerous significant security enhancements.

Among the security enhancements in BIND 9.3 is DNS Security (DNSSEC) code based on the Internet Engineering Task Force's (IETF) draft specifications.

According to Paul Vixie, the founder of ISC and the current chair of its board of directors, the IETF has been working on DNSSEC for 10 years.

"About every year or so they declare it complete, and then implementation begins and we discover that it's actually not complete," Vixie told internetnews.com.

"ISC hopes that by putting code on the street for early deployment, we can help the community 'shake down' the DNSSEC design before it's declared 'complete,'" he said.

DNSSEC will be turned off by default in the BIND 9.3 configuration file to ensure compatibility with current systems. The new versions of BIND also promise improved control and support for system and zone administrators with IXFR, and Rrset ordering as well as IPv6 transport, records, and cache size.

With this release, the ISC will begin offering direct commercial support through the sale of annual support contracts to BIND users. The support ranges from basic e-mail support to 24/7 phone support.

"Many of the companies who use our software free of charge have told us that their corporate risk management strategy requires them to have a bona fide support channel for all of their critical operations," Vixie said. "In other words we were told that having the best software wasn't good enough, and giving it away for free wasn't good enough; we also had to ensure that commercial support was available or they could be forced to switch to software they didn't like as well just to get support."

According to Vixie, ISC did not consider going the dual-license route that has become popular with other open source companies like MySQL and JBoss.

"Our corporate charter forbids us from putting restrictive licenses on our intellectual property," Vixie said. "We use the 'BSD License' which allows anyone to use or redistribute our software with or without fee, in source or binary form, under any license they wish. We permit full redistribution, so long as no one claims credit for our work, or fails to claim credit for their changes to our work, or tries to sue us."

BIND has often been chastised by net admins about being complicated and difficult to use. According to Vixie, further ease-of-use improvements are coming in future releases.

"In 9.4 we will improve the documentation, by completely starting over and we hope to offer binary distributions for customers who don't want to use a C compiler before using our software," Vixie told internetnews.com. "No GUI is planned, but we do hope to offer a middleware option that makes it easier for BIND to be integrated into existing GUI's and appliances."

The future of BIND has a lot to do with how well DNS can be secured, according to the ISC.

"Once DNS has some security and its answers can be trusted even by sensitive applications, we expect a lot more data to be stored in DNS and therefore managed by BIND," Vixie added.

"In 2004, our main goal is to stabilize the community and remove customer obstacles to more BIND deployments, but later in the year we expect to jointly announce an initiative that will speed up the DNS protocol evolution/standards process."

BIND 9.3 features the option to support servers with multiple IP addresses. It also includes additional server identification support and extended statistics.

This article was originally published on internetnews.com.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.