Nominum Calls Open Source DNS "a Recipe For Problems" 237
Raindeer writes "Commercial DNS software provider Nominum, in an effort to promote its new cloud-based DNS service, SKYE, has slandered all open source/freeware DNS packages. It said: 'Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse. ... So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.' This has the DNS community fuming. Especially when you consider that Nominum was one of the companies affected by the DNS cache poisoning problem of last year, something PowerDNS, MaraDNS and DJBDNS (all open source) weren't vulnerable to."
Linux seems to be fine... (Score:5, Insightful)
Blow more smoke up our posteriors... (Score:5, Insightful)
Good Grief (Score:5, Insightful)
I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention. As it is, and as much of a pain in the ass as Bind can be, I have yet to encounter anything quite as powerful as Bind9. It's certainly not without flaws, but after having had to deal with the inadequacies of Microsoft's DNS, anyone who comes up to me and says "Oh yeah, those open source DNS servers are the lesser products" is either a liar or a moron.
Freeware will not eat your children (Score:5, Insightful)
"But it is opening up these customers to problems." Nice, textbook FUD/propaganda. Put the thought out there. Deflect attention from your own failings. Lump all 'freeware' DNS into the same basket. Call it 'freeware' instead of Open Source to link it to badly written DOS/Windows programs. Wow, this company is sleazy. It would be such poetic justice for some grey hat hackers to take these goons down.
Open source DNS is tried and true, everyone uses it. No one was ever fired for installing BIND. This new flash in the pan company has been hacked before, how long until they are hacked again? Why trust your DNS to some untested startup using inappropriate buzzwords like 'cloud computing?' Why pay for what you can get for free? Why outsource your DNS to someone who may or may not be here tomorrow? Heh. We can play at the FUD game, too.
Re:Good Grief (Score:5, Insightful)
I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention.
And from the blog thats linked:
Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS. I thought they had grown over this kind of behavior, but it appears they didn't.
I hope no one goes to Nominum, they play dirty. I don't think the internet needs to be more dirty, what with all the scammers out there, both hackers and ISP's alike.
Re:Even if what they say is true... (Score:5, Insightful)
... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
The other question is if they are now using elements of the Bind9 source in their closed source system and are not properly disclosing it.
Re:Well (Score:5, Insightful)
The argument will be that since they run Redhat it's not considered open source or freeware, even though it is a Linux distribution that is proprietary.
It is easy enough to prove that Red Hat is open source, the problem is that the "repeat the press release" standard of journalism of the article that accepts any assertion made by an interviewee or a press release as fact.
Re:Well (Score:3, Insightful)
Contradictions (Score:5, Insightful)
You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.
He contradicts himself, he tells you to kick the tyres and look under the hood, and then touts his product which he explicitly states won't let you look under the hood...
Re:Well (Score:4, Insightful)
+5 insightful. That's what most journalists do today - just publish the press release word-for-word, minus a few edits to make it fit inside the available column space or 1-minute soundbite. It's reached the point where you assume the journalists are just mouthpieces for the corporate liars (aka marketers).
powerdns was vulnerable, but differently (Score:3, Insightful)
Powerdns was vulnerable to the Kaminsky attack, but in a different way. It was actually easier to spoof the server due to its more actively dropping certain DNS packets. So while it did perform source port randomization, it was not totally immune to the attack either.
http://doc.powerdns.com/security-policy.html itself states:
All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.
Though it is phrased as "someone elses problem", in the DNS word of course nothing is "someone elses problem". DNS servers are chained in hierachies and one problem somewhere leads to problems elsewhere. DNS is all about protocol compliance to ensure interoperability. With the "someone elses problem" approach, we would have had no "reflection attack" and "amplification attack" problems either, it being "someone elses problem". Despite the nice phrasing, powerdns caused cache poisoning problems as a result of the Kaminsky attack that needed to be addressed.
In general, I have a problem with bug reports and changelogs writing things as "improved error handling", "made more robust" or "add security to" which are too often used to hide the real security impact of certain bugs. DJB's policy of "it is not my bug to fix, because it is an operating system bug" is also completely bogus from a system administrator point of view who still ends up with a security problem.
Re:BIND is past it's sell-by date. (Score:4, Insightful)
Have you ever even used Bind9? Yes, it's got a few hangovers from the olden days, but it is was damned powerful piece of software. Bind9 views are pretty much the most powerful networking server software component I've ever used. When I was the network admin for a small ISP, we had three separate WiFi networks that, because of the idiosyncrasies of the proprietary technology, each needed customized zones, as well as a Server 2000 AD network, and I was able to run all of them on a single set of Bind9 servers, as well as our public DNS servers for the domains we hosted. It took a bit of work to get it there (though not that much, like anything, it's more just getting used to the nomenclature).
As I recall, you can even plug an RDBMS like MySQL into it if that's how you want to manage your zones, though to be honest, I never much saw the point.
Re:Blow more smoke up our posteriors... (Score:3, Insightful)
Also "freeware" and "open source" mean the same thing, and we'll try to make you associate them with "malware".
Re:Freeware will not eat your children (Score:3, Insightful)
First, chroot is not a security measure. It was not designed as such, and it will not protect you from knowledgeable intruders.
Sure, BIND has had problems, but as you mentioned, the newest version is pretty tight. What's the take-away from this? Keep your servers patched. Duh.
Re:And I was always under the impression... (Score:3, Insightful)
We used to do commercial support for ISC products, but that didn't work out very well. The company's been reinvented a couple of times since then, and at this point all of our products are homegrown. But many of the original BIND 9 developers work at Nominum, and the author of the ISC DHCP server (me) works there too. That was then, this is now.
Re:Well (Score:5, Insightful)
Because that's the job of a reporter -- to investigate, analyse, interpret and explain the information. Otherwise, the reporter is adding no value and simple economic theory would suggest that his/her job should disappear.
And newspaper owners wonder why they are losing business?
Re:Even if what they say is true... (Score:3, Insightful)
... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
The other question is if they are now using elements of the Bind9 source in their closed source system and are not properly disclosing it.
There's no disclosure requirement. Welcome to the joys of BSD licensing.
(personally, I respect people who want to give away all control of their work, but you can't then complain that someone lied about where they got it)
Bind9 has not been compromised recently ... (Score:4, Insightful)
We have heard that tired, old argument before, a few idiot CIOs will swallow it, happy to pay top dollar for something that the free s/ware does better. Let them, as long as Nominum sticks to the RFCs and doesn't fork the spec - we don't care.
Re:Blow more smoke up our posteriors... (Score:1, Insightful)
Do something about it (Score:4, Insightful)
Re:Freeware? (Score:3, Insightful)
Re:Yeah, Like Closed Source is better. (Score:3, Insightful)
Re:Linux seems to be fine... (Score:5, Insightful)
What's worse is they use BIND!
https://lists.dns-oarc.net/pipermail/dns-operations/2009-September/004481.html [dns-oarc.net]
Re:Well (Score:3, Insightful)
Because that's the job of a reporter -- to investigate, analyse, interpret and explain the information. Otherwise, the reporter is adding no value and simple economic theory would suggest that his/her job should disappear.
Ideally, yes. The problem, however, is that most non-investigative types of news stories originate from some kind of announcement, be it a speech, event, or press release. And most of those don't come with handout that lists of the names of people to call for more information. You get what you get.
If you're a professional enough reporter have a few names and numbers in your rolodex, you'll have a few names of people who know something, but rarely talk to reporters, and the names of people who are only too happy to talk but are responsible for writing the same press release you're covering. Which is where you started. The deadline is an hour away. What do you do? Report the story, or postpone until someone can devote more time to it, or cover it based on the information you have? The reader is impatient, and he's waiting.
And newspaper owners wonder why they are losing business?
Sure. We're all turning to bloggers. For their investigative skills.
Re:Well (Score:3, Insightful)