Bind and Nominum

I thought yesterday’s article ( well it actually reads like an advertorial ) on ZDNet UK regarding Bind and Niminum’s new Skye offering, was a joke. Then I realised that no, it wasn’t. But why would the ZDNet author, Toby Wolpe, start with such an inflammatory header? Is he actually looking to be flamed and seen as a useless tech writer? And his lack of challenge to Skye GM Jon Shalowitz, was appalling. Let’s go through Mr. Jon Shalowitz’s arguments for his product:

1. “Freeware legacy DNS is the internet’s dirty little secret — and it’s not even little, it’s probably a big secret. Because if you think of all the places outside of where Nominum is today — whether it’s the majority of enterprise accounts or some of the smaller ISPs — they all have essentially been running freeware up until now”

What? Does Shalowitz actually know the difference between Freeware and OSS? Does  he know that Bind is not Freeware? And why is it a dirty little secret? No answer on any of these …

2. “Given all the nasty things that have happened this year, freeware is a recipe for problems, and it’s just going to get worse.”

There haven’t been that many nasty things this year with BIND specifically – the problems in DNS relate to DNS as a whole and not a single product. Seeing as BIND in effect sets the standards for DNS, Mr. Shalowitz’s product would have the same vulnerabilities. Unless he is selling a non-standard product; but seeing as it’s closed source, no one can make that determination.

3. “So we’ve seen the majority of the world’s top ISPs migrating away from freeware to a solution that is carrier-grade, commercial-grade and secure.”

The top ISP’s have never migrated anywhere – they’ve always used their own solutions. However, considering that the top ISP’s only make up a very small portion of DNS usage on the planet, that leaves BIND as running the bulk of the internet.

4. “If I have a secret way of blocking a hacker from attacking my software, if it’s freeware or open source, the hacker can look at the code.”

Shalowitz’s argument for security by obscurity was debunked many years ago already – why is he peddling this nonsense now? Surely he can’t be that uninformed …

5. “I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.”

He links to one hole in BIND itself in the last 6 months. Pity he didn’t mentioned the hole in his own software the previous 6 months …

6. “But we run over half the internet”

Yes? Since when? Where are the stats?

Some more info: Nominum’s Vantio product was subject to the cache poisoning vulnerability from last year while many OSS DNS packages weren’t. So is Shalowitz being deliberately disingenuous or is just that uninformed? In closing, one of Nominum’s DNS servers is running BIND while their web server runs Apache and Linux …

UPDATE: ZDNet US’ Dan Blankenhorn has also weighed in on the subject and seems to be as mystified as me on Wolpe’s article …