Anyone using bind ?

[rudelgurke]

Just asking because ISC decided to have an early-access subscription for security updates. So (paying) subscribers get security updates before everyone else.

Source: https://www.isc.org/bind-subscription-2/

Gotta be lucky bind is no longer shipped in base and there're plenty of other nameservers to choose from.

 

[SirDice]

So (paying) subscribers get security updates before everyone else.

Not exactly. They get notified before anyone else.

All our BIND support subscriptions include early notification of critical security vulnerabilities, before the vulnerability is made public.

And you get offered an early patched release. But only 3-5 days before the public release.

As much as five days BEFORE the public announcement, (at least 3 business days) we notify our subscribers of the problem, individually and privately, and offer them a revised version of BIND that fixes the problem.

But besides that it's just a basic support contract. Your bug reports get priority over community reported bugs. And if you have a critical issue you have an SLA to fall back on.

 

[rudelgurke]

Still - 3-5 days are more then enough, taking the example I run a non-profit organization wishes to "enhance direct social contacts between people" I'd subscribe, wait some some DoS problem, get a patch and have 1 day to get an exploit ready.
Then I've 2-4 days to target dyn.com and the US east cost enjoys resolving addresses is problematic, so people go out to meet other people - of course my non-profit organization did it just for the general good.
Or I'm evil government A, criminal B ... the list goes on.
My point is, once they know about security problems this knowledge shouldn't used to monetize - non-profit or not because the only difference between ISC and - let's say - Vupen is one is doing it for profit, the other one not but in both cases it's morally incorrect.

 

[gkontos]

You need to understand that people who write or maintain software, even open source, need to make a living too.

 

[SirDice]

Besides that, I very much doubt this is something new. As far as I know they've been doing this for years. At least since 2001.

2001.01.31 17:36:02, Paul Vixie*, on bind-announce: ``ISC has historically depended upon the "bind-workers" mailing list, and CERT advisories, to notify vendors of potential or actual security flaws in its BIND package. Recent events have very clearly shown that there is a need for a fee-based membership forum ... Features and benefits of "bind-members" status will include: 1. Private access to the CVS pool where bind4, bind8 and bind9 live 2. Reception of early warnings of security or other important flaws 3. Periodic in-person meetings, probably at IETF's conference sites 4. Participation on the bind-members mailing list.''

https://cr.yp.to/djbdns/blurb/bindmoney.html