D. J. Bernstein
Internet publication

How the BIND company makes money

The following quotes, from a wide variety of sources, demonstrate that the BIND company's primary money-making strategy is to sell security patches and other essential fixes for its buggy software. Of course, that strategy would break down if the software actually worked.

To understand some of these quotes, you have to know that there are several corporate shells inside the BIND company. The two most visible shells are ``Nominum'' and the ``Internet Software Consortium'' (ISC). BIND company employees like to pretend that these are separate companies (see, for example, the Mayer quotes below), but let's look at the facts:

Vixie and his partners have set up several other corporate shells: ``Vixie Enterprises,'' for example, and ``Internet Engines.'' Frankly, I don't care about the legal distinctions between these corporations; from an economic perspective, they're acting as an integrated unit.

In this list, * means BIND company owner, employee, or consultant.

1993.12.22, Paul Vixie*, on comp.protocols.tcp-ip.domains: ``I'm still working on BIND (without funding, sadly).''

1997.05.01, Kevin Oberman, on bind-users: ``ISC is having funding problems.''

1998.06.09, Paul Vixie*, on nanog: ``We're commercializing BIND since I'm no longer able to fund it out of my own pocket (my pocket is now empty) and we ended up not getting the kind of donations we needed as a nonprofit. While I'm committed to keeping a freely redistributable version and to shipping source code, I've got to be realistic about my mortgage payment and the lack of speed and quality of BIND's evolution when it can only get worked on by volunteers.''

1998.08.25, Network Associates press release: ``[NAI] announced today that its advanced research arm, TIS Labs, has been awarded a development contract to add security to one of the fundamental protocols of the Internet. The $1.4 million contract, awarded by the Department of Defense's Advanced Research Projects Agency (DARPA), calls for Network Associates to create a new generation of the DNS system. This contract will be performed in concert with the Internet Software Consortium.''

1999.06.10, Brad Knowles, on news.software.nntp: ``Look at the team that Paul built for maintaining and developing BIND, all of whom then got sucked up into doing BIND version 9. ... The folks at the ISC ... tend to be pretty top-notch, at least IMO. Of course, I would be rather biased in this area, as I came fairly close to working for Paul. If things had turned out differently (and I hadn't screwed them up), I might today be a paid employee of one of the companies that Paul spun off from Vixie Enterprises, and might be a contractor for ISC working on BIND, INN, or who knows what.''

1999.06.13, David Conrad*, on bind-users: ``Almost all of ISC's resources are currently being applied to the development of BIND version 9.''

2000.01.05, Mark Andrews*, on bind-users: ``Mark Andrews, Nominum Inc. / Internet Software Consortium.''

2000.03.07, David Conrad*: ``ISC is a California non-profit corporation ... Nominum is the for-profit spin-off ... ISC out-sources all tasks: No employees; Nominum does development, support, and consulting; Acme Byte & Wire does training.''

2000.04.19, Kevin Darcy, on bind-users: ``A few years back, we took out a support contract on BIND, and it ended up being a total waste of money. We haven't repeated that mistake.''

2000.04.19, Joseph Yao, on bind-users, responding to Darcy: ``Much to ISC/Iengines/Nominum's distress, I'm sure. :-) Now, if this were certain large Northwest companies, they might start building in some bugs to force you to pay them for maintenance. Say, you don't suppose ... ;-) ;-) ;-) only.''

2000.08.24, Jim Reid*, on bind-users: ``It's also possible to get a support contract for BIND from my employer, Nominum.''

2000.10.03, Paul Vixie*, in an interview with Dave Wreski: ``In 1998, Jerry Scharf, who was the Executive Director of ISC, convinced the remaining UNIX vendors and a few government agencies that the only way to support all of the new DNS protocol enhancements was to totally rewrite BIND.''

2001.01.29 23:25:06, Paul Vixie*, on bsdi-users: ``See BIND9. Written by a new team, sharing no code with BIND8. Two years in the preparation. 6+ months of testing. ... BIND9 is a complete rewrite by completely different (read: better) people.'' (In fact, the team was not ``completely different.'')

2001.01.31 17:36:02, Paul Vixie*, on bind-announce: ``ISC has historically depended upon the "bind-workers" mailing list, and CERT advisories, to notify vendors of potential or actual security flaws in its BIND package. Recent events have very clearly shown that there is a need for a fee-based membership forum ... Features and benefits of "bind-members" status will include: 1. Private access to the CVS pool where bind4, bind8 and bind9 live 2. Reception of early warnings of security or other important flaws 3. Periodic in-person meetings, probably at IETF's conference sites 4. Participation on the bind-members mailing list.''

2001.02.01 01:02:48, Theo de Raadt, on bugtraq: ``Security information for dollars? What does the community think of this change in direction? (Myself, I think it is a terrible idea to charge money for security information access, and that closing BIND up like this is also going to be harmful)''

2001.02.01 09:26:06, Jim Reid*, on bugtraq: ``Nobody's suggesting BIND will get "closed up" ... The BNF is simply a way for the ISC to broaden its source of funds, get input from people who are serious BIND users and co-ordinate the future development of BIND. It's nothing more sinister than that.''

2001.02.01 13:03:14, Dragos Ruiu, on bugtraq: ``isc loses mind ... do you mean that all it will cost me is a few bucks spent on a cabal membership and I can have a big head start on exploiting any new DNS bug and thereby facilitating 0wn1ng every host on internet before anyone has any chance to fix things or even know they're vulnerable(so that they can take _some_ sort of precaution if possible)? ... Sorry for the strong words, but the ISC is fucked up, apparently.''

2001.02.01, Robert van der Meulen, on bugtraq: `` 'early warnings' ?? This means that buggy, insecure bind versions can be running anywhere, and only the 'elite bind-members crew' is allowed to know? Sick.''

2001.02.01, Rich Puhek, on bugtraq: ``Are support contract sales at nominum lagging (http://www.nominum.com/services/support/)?''

2001.02.01, Dan Grillo, on bugtraq: ``If ISC is charging money to distribute information, they'll need to show the people that are paying the money "value". They only way to provide "value" to the payers is to withhold (delay, dilute, etc) information from the general community.''

2001.02.01, Daniel Brandt, on bugtraq: ``People are late patching their servers at it is, why delay it further by putting in a middle hand like this? The vast majority of people running bind-servers won't be entitled to be members of this "elite"-forum.''

2001.02.01, Sid Van den Heede, on bugtraq: ``One wonders what Paul was thinking. Which particular "recent events" is he referring to, and how have they "very clearly shown" the need for this draconian change.''

2001.02.02 10:14:19, Dragos Ruiu, on bugtraq: ``I've lost count of the number of incidents I've dealt with on my own and my customer's boxes that involved named exploits as the initial entry vector.''

2001.02.04 06:32:01, Paul Vixie*, on bind-members: ``History has shown that most large projects have bugs, and that some of these bugs will be security related or otherwise critical. BIND has had its share of bugs, including critical ones. Because ISC lacks the hubris needed to announce that there will never be another security-related or otherwise critical bug in BIND, and because BIND is used on 90% of the world's name servers including the root and TLD servers, we are formalizing the way we will handle any future bugs which are found. ... If someone else's DNS software ever runs on 80% of the Internet's name servers and is shipped in source form that can run on a dozen or more architectures, ISC will certainly feel that we have much to learn from the authors of that software. ... We've spent more than $2.5M on BIND9, which is a complete rewrite, and which took a dozen senior or supersenior DNS software experts over two years to complete.''

2001.08.09, Michael Kjorling, on bind-users: ``I have absolutely no problems with Nominum making money to support the continuing development of BIND. After all, they are a company.''

2002.01.17, Don Stokes, on bind-users: ``Some of us here would like better information than "there are bugs fixed so upgrade" before running off to do an upgrade. We'd also like it for something less than the five digit US$ price I've been quoted for Nominum's minimum support contract.''

2002.01.17, Mark Andrews*, on bind-users, responding to Stokes: ``What does this have to do with ISC or with why one should upgrade?'' (As if ISC and Nominum weren't working together!)

2002.01.17, Don Stokes, on bind-users: ``Once apon a time there was a set of support contracts available listed on the [ISC] web site, some of them at quite reasonable prices. Now it just says "go talk to Nominum". Well, we did, and they *only* offer very comprehensive support, for an equally comprehensive price.''

2002.11.13, Danny Mayer*, on bind-users, in response to my mentioning ``BIND company employee Jim Reid'': ``Jim works for Nominum and not for ISC which is responsible for BIND.''

2002.11.13, Alan Cox, on slashdot: ``ISC did not tell the Linux vendors. ... Why they didn't we don't know. They've not explained that yet. The exciting conspiracy theory is that its [sic] an attempt to force people to join their pay to play early notification stuff. The more boring posibilities are that they forgot, or that ISS didn't give them enough notice either.''

2002.11.14 14:22:05, Michael Brennen, on bugtraq: ``At 13:02 CST this afternoon per the ISC announcement, about an hour after receiving the bug announcement, I requested bind 8 patches from Lynda McGinley, Executive Director of ISC. I received a response from her roughly 8 hours later this evening that I had been added to the patch announce list. My thanks to Lynda for that, but she did not give direct information on where to get the patches, and I have received nothing from the patch announce list. I don't know when I can expect to receive anything -- tonight, next week, or next month? ... I have not yet heard a satisfactory answer why were patches not publicly available when this announcement was made. More troubling, why has ISC not released the patches yet? As of 23:44 CST, about 12 hours after the first announcement, nothing beyond 8.3.3 is available in the normal directories on ftp.isc.org, yet updates clearly exist. ... I don't know of a similar incident when the known patches to such a serious problem were withheld by a software provider. This is particularly true in the case of software of which its security and stability are the most crucial to the operation of the Internet.''

2002.11.15 17:08:06, Olaf Kirch, on bugtraq: ``Members of BIND Forum were notified last week, from what I'm told. In my opinion, the main reason for ISC to use this method of distributing the patches rather than going through established channels (such as CERT) was to be able to convince software vendors and other bodies using/distributing BIND to become a member of BIND forum. ... I know that most Linux distributors, as well as some BSD folks, tried to reach someone at ISC for 36 hours, without success (we were notified of the issue on Tuesday, approx 14 hours ahead of the publication of ISC's and ISS's announcements).''

2002.11.15 19:36:02, Chris Adams, on bugtraq: ``I also (per the announcement from ISC) emailed Lynda McGinley requesting patches. I never received a response. I kept watch on the ISC web site and downloaded the patch last night (the file timestamps in the patch are all Oct 30 2002, so the patch was ready in plenty of time).''

2002.11.16 15:46:10, Matthew Dixon Cowles, on bugtraq: ``Particularly ironic in light of ISC's apparent delay in releasing patches is this from the BIND Member Forum FAQ: `Q: So the bind-members Forum programme does not restrict or delay any access to which the industry has become accustomed? A: Right.' ''

2002.11.18, Dan Verton, Computerworld reporter: ``ISC is under fire for the fee-based procedures it follows ... The first companies to receive notification were the paying members of ISC's early-alert notification service. The rest of the Internet security community [had to wait more than two weeks]. And even then, some security administrators said they couldn't locate a patch as much as 12 hours after the public announcement was made. ... Fees vary depending on the type and size of the subscription. An individual pays roughly $100 per year, while a large company can expect to pay $50,000 per year to be a member of the ISC forum. ... "Deliberately withholding patches for root access security bugs is irresponsible in the extreme," [Michael Brennen] said. "Whether or not it is extortion is for others to decide." ... Keith Morgan ... said delivering early-warning information to a "paying elite" is a conflict of interests that should be criminal. "This is a company exploiting security flaws in its own software to turn [a] profit," said Morgan.''

2002.11.22, ComputerWire reporter: ``The organization came in for some criticism in reports yesterday over the way it handled the latest vulnerabilities discovered in BIND. After an advisory was issued, the ISC made efforts to verify the identity of people requesting the patch before sending it. At the same time, it also took the opportunity to pitch its membership services, prompting some BIND users to claim the company was operating a "cash for patches" scheme. ... For a year's membership, corporations with over $2bn annual revenue must pay $50,000, and those below $2bn must pay $5,000. Non-profits pay $1,000 and individuals a minimum of $100. To get the bonus service that sends security vulnerability warnings 10 days in advance of public disclosure, members must pay an extra 20% of their dues.''

2002.11.30 01:05:08, Danny Mayer*, on a DNS standardization mailing list, after I labelled him ``BIND company employee Danny Mayer'': ``I am not and never have been an employee of either ISC or Nominum.'' (No mention of the fact that he had been hired as a Senior Software Engineer at the BIND company. In response, I labelled him ``BIND company consultant Danny Mayer,'' apologized for getting his tax status wrong, and said ``The fact remains that you're not disclosing your financial interests in BIND.'')

2002.12.01 22:40:08, Danny Mayer*: ``I have no financial interests in BIND, though I see no need to discuss my financial interests in anything, least of all to you. If I make use of BIND in the course of my employment or in pursuance of new employment, do you consider that a financial interest?'' (Still no mention of his special relationship to the BIND company. My response: ``Is your pretense of independence part of the BIND company's strategy for packing this standards committee, or have other BIND company people been quietly warning you that you should fess up?'')