BIND 9.3 Released With Commercial Support 224
darthcamaro writes "Time for net admins to update BIND: version 9.3 has been released. internetnews.com has a story on it where they talk with Paul Vixie, the founder of BIND's keeper ISC. In it he details why after so many years BIND has finally decided to offer commercial support. 'Many of the companies who use our software free of charge have told us that their corporate risk management strategy requires them to have a bona fide support channel for all of their critical operations,' Vixie said. 'In other words we were told that having the best software wasn't good enough, and giving it away for free wasn't good enough, we also had to ensure that commercial support was available or they could be forced to switch to software they didn't like as well just to get support.' The full press release on the BIND 9.3 release is also available."
Wait till the next exploit,,, (Score:4, Informative)
Re:Wait till the next exploit,,, (Score:3, Informative)
Re:Wait till the next exploit,,, (Score:2)
Mind you, there are still pleanty of place still running the 4.x codebase...
Re:Wait till the next exploit,,, (Score:2)
Re:Wait till the next exploit,,, (Score:5, Funny)
Re:Wait till the next exploit,,, (Score:5, Informative)
It's not clear why people continue to use BIND. It's probably because it's just assumed that it's the only thing out there. But everything from security to configuration is poorly done in BIND. I use tinydns [cr.yp.to] (part of djbdns) instead on all my servers. It's written by Daniel Bernstein, the same guy that wrote qmail. He's got a great track record -- no security holes in any of his software, AND he backs up that assertion with a $1000 prize to anyone that finds such a hole. He makes a better case than I do for tinydns/qmail vs. BIND/sendmail than I ever could.
Re:Wait till the next exploit,,, (Score:5, Informative)
Critical exploits in BIND 9 still have to show up. The really nasty bug so far was actually in OpenSSL.
It's not clear why people continue to use BIND.
For the full resolver part, their are hardly any alternatives. If you need DNSSEC, your options besides BIND are even more limited.
tinydns is unusable for most people (who aren't masochists) because it doesn't conform to existing standards and parctice. Just speaking the DNS protocol is not enough, you also have to implement some of BIND's quirks, and more important: the software has to be maintained. DNS is still evolving, DJB's software is not. (Some of it doesn't even compile on modern, POSIX-conforming systems.)
Re:Wait till the next exploit,,, (Score:5, Insightful)
I continue to use BIND because I don't like DJB's licence.
Re: (Score:3, Informative)
Re:Wait till the next exploit,,, (Score:2)
Re:Wait till the next exploit,,, (Score:2)
-russ
Re:Wait till the next exploit,,, (Score:4, Insightful)
As such you can't make changes and distribute them as part of a integrated set (in theory you could distribute just the patches but it's a grey area). Hence many people consider it "un-free". Some people see this as a problem.
Re:Wait till the next exploit,,, (Score:2)
Re:Wait till the next exploit,,, (Score:2)
Dan is pedantic and stubborn, and people just don't like that.
His software is also incredibly good. I would NEVER IN MY WILDEST DREAMS set up a caching only dns server on a machine with BIND. It is just asking for trouble. I use tinydns on every machine, and never think about it again. It is easy to setup. It is easy to install. It is easy to configure. It is fast. It is s
Re:Wait till the next exploit,,, (Score:2)
I do it on FreeBSD bastion hosts with zero issues.
What's your problem, specifically?
Re:Wait till the next exploit,,, (Score:4, Insightful)
I run Bind. I run Sendmail. I'll always use both. I supplement Bind with rbldnsd. I have no need to supplement Sendmail. Both do what I want. Since I'm not an incompotent moron I don't have any trouble configuring either of them. The claims people make about both/either being difficult to admin or insecure are complete bullshit. If the person was a half-assed compotent admin neither would be a problem. I swear, what is the world coming to....
Re:Wait till the next exploit,,, (Score:2)
Re:Wait till the next exploit,,, (Score:2)
Yes, well, I knew how to fix my old 1971 SAAB with just a screwdriver and a wrench, and it always did what I wanted too, but that's not to say that I still drive it (went to the wrecking yard as a matter of fact). Because, quite frankly it was a piece of shit.
And that's my senti
Re:Wait till the next exploit,,, (Score:2)
Not a BIND issue. OpenSSL. When OpenSSL has an issue, you'll be recompiling everything you built against it, I hope. Responsible vendors will notify users that their software will become vulnerable if compiled with _______________ as a result of the new vulns...
Re:Wait till the next exploit,,, (Score:2)
tinydns has had disk-based permanent changes with no loss of uptime from version 0.0. tinydns supports all RR types, now and forever. You may need a pre-processor for newly-created RR types; oh well. At least you can serve up any record you want. If you can't get the least details about tinydns correct, I have to wonder if you kno
Re:Wait till the next exploit,,, (Score:2)
This is a simple reality in corporate use (Score:5, Insightful)
I can understand it to a degree; there's no guarantee that the version installed today will not be completely dropped next month. It gets a little aggravating when it holds up an entire project, though, because of one small piece.
The upside, of course, is more funding for critical projects.
Re:This is a simple reality in corporate use (Score:2)
How often have you guys seen positive ROI on a support contract?
I think as an organization gets larger, ROI analysis would suggest that they're better of managing the risks themselves -- just like at some scale it can be worth it to be self-insured in some things.
Many of these support contracts are really just the "Circuit City Extended Waranty" of the corporate world.
Re:This is a simple reality in corporate use (Score:5, Insightful)
Have you ever known a PHB that didn't get the extended Circuit City warranty? That's what this is all about -- selling it to the PHBs of the World so we can go on using our OSS that we know works and even with the support contract is cheaper then the commercial alternative.
Re:This is a simple reality in corporate use (Score:2)
volcano insurance of sorts.
Re:This is a simple reality in corporate use (Score:5, Insightful)
Re:This is a simple reality in corporate use (Score:5, Insightful)
The upside is that companies are used to and willing to fork over large sums of cash for those assurances. So, if you love an OSS project enough to dedicate your life to it, then get to know it inside and out and start offering commercial support for it. If the product is stable, you never have to answer the phone. If you charge $500 per year for support, 100 customers makes for a tidy income. And, honestly, most midsize corporations wouldn't even blink at $500 per year for support on something that goes on a server, unless it was in astonishment at how cheap it was.
Re:This is a simple reality in corporate use (Score:4, Insightful)
ROI calculations are easy, though. If your website might be down for 18 hours while your in-house support guy finishes sleeping, wakes up, and reconfigures BIND; and your web site makes $1000/hour; and the chance of this happening is 10% each year; it's very easy to translate to dollars.
How much business do you lose in those 30-seconds?
I think more .com's died because they overdesigned their "zero-downtime incase California sinks in an earthquake, so let's have our database mirror'd around the world"; rather than think through the (modest) implications of a couple hours downtime.
Re:This is a simple reality in corporate use (Score:2, Informative)
30 seconds??
Wow... you've never had to deal with support from Monolithic Corporation Inc., have you? ;-)
Re:This is a simple reality in corporate use (Score:2)
Re:This is a simple reality in corporate use (Score:2)
I have found that making people understand why they don't need to buy extended warranties is fairly easy: you just have to pitch it right.
The key is to get them to agree that the warranty is merely insurance and then point out that they can self-insure. In other words, that they could put the warranty money in an account that is only used to buy replacements for broken products.
Put in those terms, even PHB's usually get it.
Re:This is a simple reality in corporate use (Score:2)
As far as I know, that doesn't stop a whole lot of software companies from doing just that every year, forcing their customers to either upgrade at 80% of the full price or watch support for their current version dwindle down to the eventual EOLing in a year or two, maybe three. That is two or three years/version down the road of said product.
Also, what kind of support are we talking about here? REAL s
Re:This is a simple reality in corporate use (Score:5, Interesting)
Where I'm at now, it's not uncommon to see support contracts for one product (and not anything from or as ubiquitous as Microsoft, either) reach a quarter of a million dollars a year or more. It's insane.
Re:This is a simple reality in corporate use (Score:2)
Re:This is a simple reality in corporate use (Score:2)
I once asked the justification out of curiosity. I was told that they REALLY hated it when people made th
Re:This is a simple reality in corporate use (Score:2)
Where the customer is also likely to wind up with a large bill for "consequential costs"
or watch support for their current version dwindle down to the eventual EOLing in a year or two, maybe three. That is two or three years/version down the road of said product.
This is a technique proprietary software vendors appear to have hit on as
Re:This is a simple reality in corporate use (Score:2, Insightful)
On the other hand, I suppose if some huge IT company wanted to give me money for something I did for free in the community-based support forums alredy availiable, I'd take it too.
Re:This is a simple reality in corporate use (Score:2)
Re:This is a simple reality in corporate use (Score:2)
Finally (Score:4, Funny)
Why is this a surprise?! (Score:3, Insightful)
Read your EULA please. (Score:5, Insightful)
I think you'll find they amount to little more than "we'll do our best to support our l33t software".
Re:Read your EULA please. (Score:4, Insightful)
Re:Read your EULA please. (Score:2, Informative)
If you had a critical software problem, and you told the vendor you "won't buy another piece of software from them" you know what you still have?
Your same broken ass software, and a worse relationship with your vendor.
Read your EULAs, ask your lawyer about them, and then go do a little research on the reliability and fix times for problems in BIND, Postfix, Apache, OpenSSL/SSH, etc etc etc.
You'll find that you're better off in many cases with OSS, with many
Re:Read your EULA please. (Score:3, Insightful)
Yes, but how does megacorp have its cake and eat it too? How does megacorp take advantage of the inherent efficiencies of OSS? OSS can be had cheap, very cheap, but the real advantage is on the high end.
You've paid good money for whatever. That entitles your manager to call your salesman's manager and give him/her an earful. Not that it will do a lot of good, but at least it's something. The vendor has certain responsib
Re:Read your EULA please. (Score:2)
I'd also suspect that corporations have a moral sense that freeloading is not a viable long-term plan.
Thankyou for your unique perspective of corporate morality.
EGO (Score:2)
Re:EGO (Score:2)
Not everyone is in it for the EGO rush, they like doing good things, and some like the recognition.
Re:Read your EULA please. (Score:3, Funny)
Re:Read your EULA please. (Score:2)
Re:Read your EULA please. (Score:2)
Isn't it a bit late by then?
Re:Read your EULA please. (Score:2)
I'll tell that to Microsoft next time I have a bug with any of their software.
Re:Why is this a surprise?! (Score:3, Insightful)
Re:Why is this a surprise?! (Score:2, Insightful)
Then he notices the note at the bottom of the browser about Free Software, he asks me how much it would cost to buy licenses, and my stupid answer is "It doesn't cost anything, (yeah yeah my
Re:Why is this a surprise?! (Score:3, Insightful)
That's completely reasonable. Would you take a hamburger from a guy on a street corner that was giving them away, even if he assured you that they were perfectly good... he just made them himself this morning?
Exactly.
Re:Why is this a surprise?! (Score:4, Insightful)
Would you take porn from a guy on street corner that was giving it away, even if he assured you that it was perfectly good...
Perhaps some analogies are flawed, I guess.
Shouldn't trust mum's cooking then ... (Score:3, Insightful)
Or how about when you go around to a new colleages house for a BBQ, to get to know them. Do you eat the free food there ?
Or go to a party where everybody has to bring food or drinks. Do you eat the free food there ? Would you be offended if other people don't eat the free food that you brought ? If they don't, aren't they saying that you are untrustworthy ?
Free doesn't mean you can't trust something.
You are overlooking social and reputational consequences of providing something at no cost that has int
Not that they will do the right job, necessarily, (Score:2)
which is why I don't use BIND anyway.
Just pre-empting anybody who suggests I'm a BIND undercover agent.
Re:Java / .NET / Strict OOP (Score:3, Insightful)
Re:Why is this a surprise?! (Score:4, Informative)
Re:Why is this a surprise?! (Score:2)
Read your (Microsoft|Sun|Oracle|Intuit|etc.) EULA some time; it says the same damn thing
Re:Why is this a surprise?! (Score:2)
You get an implied warranty of fitness for purpose in many juristictions, although that is likely to be limited to a refund.
Suprised by opportunity (Score:3, Insightful)
Free software has whatever guarantee the vendor wants to sell with it -- and the vendor can be anyone! You just happening to be thinking of the case that most of of nerds are in, where we use the software without there being any vendor at all. Thus, there's no guarantee. But it doesn't have to be tha
Good to see they're 'getting it' (Score:5, Insightful)
What I think many programmers don't understand is that most people will often choose a so-so product from a well-run business over a better product from a poorly run business or organization. Having no guaranteed support mechanism for BIND (and other projects) does hurt adoption of those projects in many organizations. Option support is essentially the best of both worlds, as long as the prices aren't cost prohibitive. If pricing is too high, there's much less incentive to switch, because people will usually settle for 'good enough' when 'way better' costs a whole lot more.
The best software? (Score:3, Insightful)
<PHB>Who needs competent sysadmins? (Score:5, Insightful)
Re:Who needs competent sysadmins? (Score:2)
Awww, don't get you panties in a wad. I was just going for some "Funny" karma.
Re:Who needs competent sysadmins? (Score:3, Insightful)
Exactly... they didn't need a competent sysadmin, they just had to do without until the cavalry arrived. That way, the IT department doesn't actually have to learn a whole lot about computers, they can just be glorified hardware techies that hire their buddies for good jobs, and pay vendors out the nose for tools and services they should be able to script or figure out themselves.
BlIND? (Score:4, Funny)
In technical terms... (Score:4, Funny)
Given what Paul Vixie is famous for [zawodny.com], I'd say the lines are:
0 0 1 1 *
5 0 1 1 *
He's bona fide. What are you? (Score:2, Funny)
Suit: But you ain't bona fide!
Todo (Score:5, Funny)
You know what? (Score:4, Funny)
Good move... (Score:3, Insightful)
hilarious (Score:4, Interesting)
They'd best make sure they have a support contract for their staplers. And for their pens & pencils, etc. Critical items, all.
Maybe this explains why it's so expensive to do business here, and jobs have to be shifted overseas. Then we can get our stapler support from India!
Symmetry. I like it.
Re:hilarious (Score:2)
NOT "Time for net admins to update" (Score:5, Informative)
I really hope that most net admins know better than to update until after the beta is over, and the release version comes out.
BIND 9.3.0 is not released yet. It is at beta 2, which was released two days ago.
Re:NOT "Time for net admins to update" (Score:2)
Re:NOT "Time for net admins to update" (Score:2)
guess that's why you're supposed the preview and test your links right? aaaugh that's gotta be a karma killer
Hope they don't go the way of redhat. (Score:2, Funny)
How the BIND company makes money (Score:5, Informative)
Re:How the BIND company makes money (Score:2)
djbdns supports every record type, because you can write a pre-processor for the 'data' file which creates any damn record you want. And tinydns will happily serve it up.
Any other "facts" you want to present?
Re:How the BIND company makes money (Score:2)
His software could comply with the FHS, but he wants his own
I've run bind for years and never had a security problem, thanks.
Re:How the BIND company makes money (Score:2)
What's wrong with rsync?
-russ
Well, that's convenient... (Score:3, Insightful)
That works out well, because BIND isn't anywhere near the best software, at least not for name serving. It is, however, an exceedingly reliable source of serious vulnerabilities, and considering how relatively simple DNS is, that's a monumental achievement in its own right.
Re:Well, that's convenient... (Score:2)
Re:Well, that's convenient... (Score:2)
please name a "serious vulnerability" for Bind 9
The ISC website [isc.org] lists the DoS_findtype bug, in all BIND versions prior to 9.2.1, and rates it "SERIOUS".
Support? why? (Score:4, Insightful)
BIND, Security, and You. (Score:2, Funny)
I trust you already have the Slashdot article entitled "Vulnerability found in BIND 9.3" queued up for Saturday, right ?
baffled by obsession with "official" support (Score:3, Interesting)
By far the best support I get is from newsgroups, mailing list archives, or simple RTFM'ing
A company with a boiler-room full of telephone techs simply isn't capable of providing better support than the support that the open source community already puts at my fingertips.
all open-source software should do this (Score:3, Insightful)
Regardless of what you think, corporations are all about minimizing risk and shifting blame onto someone else. Having a support contract is almost a minimum at many large corporations. If there is a problem, management would like to have the confidence that some specialist outside the organization will be helping--or more likely, blamed for the problems. It is much easier for management to blame another company than themselves. Which seems more easy to defend:
"hmm... my team is working as much as they can on it. It'll be resolved soon"
OR
"The problem is being dealt with. Our vendor (insert name; say Novell) is providing a resolution."
Sivaram Velauthapillai
Re:Is this a good thing? (Score:3, Informative)
How did this get a "Score 3, Insightful" when it's so completely WRONG?!? All the Red Hat source code is freely available - how "closed-only" is this?!?
Re:Is this a good thing? (Score:2)
With BIND from the ISC you can download their software (but you can also buy a support contract for it).
If you take into account that one of the goals of BIND is to make a reference platform for all features, you can't really do that with a closed-only solution.
Re:Is this a good thing? (Score:2)
Regardless, it'd be disingenuous to suggest that RedHat merely reaps opportunity off the hard work of others. That's true, of course, but they certainly contribute to many open source packages, not the least of which include kernel
Re:Is this a good thing? (Score:2)
When you release a binary for source under the GPL, you can put whatever restrictions on that binary you'd like. You must also, however, release the source on request, and cannot put any restrictions other than the GPL itself upon that source code./P
Re:First Post? (Score:3, Informative)
Re:First Post? (Score:3, Informative)
Dan Bernstein might be an, uh, "colourful" character, but his software is fast, easy to use, easy to admin, and all around better than anything Vixie & crew could offer. Plus this guy's devotion to security is nothing less than astounding. I trust his internet tools wherever possible...shit, i even run an instance of his no frills HTTP server for images.
http://www.ntcanuck.com/ (Score:2)
Re: (Score:2)
Re:First Post? (Score:5, Informative)