RealTime IT News

BIND 9.3 Offers More Security, Support

In a move to address corporate risk management rules for critical operations, the Internet Systems Consortium (ISC) is offering a range of commercial support for its open source Domain Name Server tool BIND as part of new security features in the latest version of BIND 9.3.

BIND, an acronym that stands for Berkeley Internet Name Domain, is an open source implementation of the DNS protocol and is in use on over 75 percent of the nameservers on the Internet.

DNS and BIND in particular have been the target of frequent attacks in recent years, something that the new version hopes to address with the addition of numerous significant security enhancements.

Among the security enhancements in BIND 9.3 is DNS Security (DNSSEC) code based on the Internet Engineering Task Force's (IETF) draft specifications.

According to the founder of the ISC, and currently chair of its Board of Directors, Paul Vixie, the IETF has been working on DNSSEC for ten years.

"About every year or so they declare it complete, and then implementation begins and we discover that it's actually not complete," Vixie told internetnews.com.

"ISC hopes that by putting code on the street for early deployment, we can help the community 'shake down' the DNSSEC design before it's declared 'complete,'" he said.

DNSSEC will be turned off by default in the BIND 9.3 configuration file in order to ensure compatibility with current systems. The new versions of BIND also promise improved control and support for system and zone administrators with IXFR, Rrset ordering and Ipv6 transport, records and cache size.

With the release, the ISC will now also begin offering direct commercial support through the sale of annual support contracts to BIND users. The support ranges from basic e-mail support to 24/7 phone support.

"Many of the companies who use our software free of charge have told us that their corporate risk management strategy requires them to have a bona fide support channel for all of their critical operations," Vixie said. "In other words we were told that having the best software wasn't good enough, and giving it away for free wasn't good enough, we also had to ensure that commercial support was available or they could be forced to switch to software they didn't like as well just to get support."

According to the founder of the ISC, they did not consider going the dual-license route that has become popular with other open source companies like MySQL and JBoss.

"Our corporate charter forbids us from putting restrictive licenses on our intellectual property," Vixie said. "We use the 'BSD License' which allows anyone to use or redistribute our software with or without fee, in source or binary form, under any license they wish. We permit full redistribution, so long as no one claims credit for our work, or fails to claim credit for their changes to our work, or tries to sue us."

BIND has often been chastised by net admins about being complicated and difficult to use. According to Vixie, further ease-of-use improvements are forthcoming in future releases of BIND.

"In 9.4 we will improve the documentation, by completely starting over and we hope to offer binary distributions for customers who don't want to use a C compiler before using our software," Vixie told internetnews.com. "No GUI is planned, but we do hope to offer a middleware option that makes it easier for BIND to be integrated into existing GUI's and appliances."

The future of BIND has a lot to do with how well DNS can be secured, according to the ISC.

"Once DNS has some security and its answers can be trusted even by sensitive applications, we expect a lot more data to be stored in DNS and therefore managed by BIND," Vixie added.

"In 2004 our main goal is to stabilize the community and remove customer obstacles to more BIND deployments, but later in the year we expect to jointly announce an initiative that will speed up the DNS protocol evolution/standards process."

BIND 9.3 also has the ability to support servers with multiple IP addresses as well as including additional server identification support and extended statistics.