# Anyone using bind ?



## rudelgurke (Jan 20, 2017)

Just asking because ISC decided to have an early-access subscription for security updates. So (paying) subscribers get security updates before everyone else.

Source: https://www.isc.org/bind-subscription-2/

Gotta be lucky bind is no longer shipped in base and there're plenty of other nameservers to choose from.


----------



## SirDice (Jan 20, 2017)

rudelgurke said:


> So (paying) subscribers get security updates before everyone else.


Not exactly. They get _notified_ before anyone else. 



> All our BIND support subscriptions include *early notification of critical security vulnerabilities*, before the vulnerability is made public.



And you get offered an early patched release. But only 3-5 days before the public release. 


> As much as five days BEFORE the public announcement, (at least 3 business days) we notify our subscribers of the problem, individually and privately, and offer them a revised version of BIND that fixes the problem.



But besides that it's just a basic support contract. Your bug reports get priority over community reported bugs. And if you have a critical issue you have an SLA to fall back on.


----------



## rudelgurke (Jan 20, 2017)

Still - 3-5 days are more then enough, taking the example I run a non-profit organization wishes to "enhance direct social contacts between people" I'd subscribe, wait some some DoS problem, get a patch and have 1 day to get an exploit ready.
Then I've 2-4 days to target dyn.com and the US east cost enjoys resolving addresses is problematic, so people go out to meet other people - of course my non-profit organization did it just for the general good.
Or I'm evil government A, criminal B ... the list goes on.
My point is, once they know about security problems this knowledge shouldn't used to monetize - non-profit or not because the only difference between ISC and - let's say - Vupen is one is doing it for profit, the other one not but in both cases it's morally incorrect.


----------



## gkontos (Jan 20, 2017)

You need to understand that people who write or maintain software, even open source, need to make a living too.


----------



## SirDice (Jan 20, 2017)

Besides that, I very much doubt this is something new. As far as I know they've been doing this for years. At least since 2001. 



> *2001.01.31* 17:36:02, Paul Vixie*, on bind-announce: ``ISC has historically depended upon the "bind-workers" mailing list, and CERT advisories, to notify vendors of potential or actual security flaws in its BIND package. *Recent events have very clearly shown that there is a need for a fee-based membership forum* ... Features and benefits of "bind-members" status will include: 1. Private access to the CVS pool where bind4, bind8 and bind9 live *2. Reception of early warnings of security or other important flaws* 3. Periodic in-person meetings, probably at IETF's conference sites 4. Participation on the bind-members mailing list.''




https://cr.yp.to/djbdns/blurb/bindmoney.html


----------

