ISC’s Organizational Health and Operations

Financially and organizationally, ISC is in good health, with no major concerns. Revenues in 2024 were strong, nearly $7.7M, which was enough to cover development expenses for our BIND and Kea programs, as well as to fund our overhead, F-root operations and Stork development, which don’t generate any revenue. 

ISC ended 2025 with 45 staff, over half of whom are software engineers. The BIND team consists of 16 engineers, with 6 of these focused on QA and release operations. The combined DHCP/KEA and Stork team has 10 software engineers, including 3 focused on QA and release operations. Three engineers manage the F-root operations, and some of our internal computing infrastructure. We have seven support engineers, who take turns providing on-call coverage nights and weekends. This leaves 5 people in sales and marketing and 4 in G&A.

ISC currently has only a single layer of management, which limits our ability to grow further, because we don’t want to add another layer. We are content with our current size, because we feel we have an effective and efficient structure and a pleasant work environment. Everyone at ISC works remotely, and we meet in person twice a year for dedicated working meetings, as well as occasionally, at technical conferences.

ISC Core Programs

BIND 9

We hired three new BIND engineers, bringing the team to a total of 9 developers, 5 QA staff and two managers (Director of DNS Engineering and BIND 9 QA Manager). 

We postponed the January 2024 BIND releases, skipped June and November and issued a total of 25 open source releases + 12 -S versions - plus packages for all of this.

We released BIND 9.20, a new stable version that completed the transition to new libuv-based event loops, begun with BIND 9.16 and continued in 9.18. We had received reports that some long-duration tasks, like updating statistics, handling transfers and similar system work, seemed to be blocking query resolution in very busy systems, so we added specialized thread pools to offload long-duration tasks. This was our first stable version with a new database infrastructure, qp-trie, replacing a red-black tree for functions requiring a database, including the zone database, server database and resolver cache. The transition to libuv and qp-trie were major refactoring projects, involving multiple developers for many months, and requiring extensive testing to discover any performance impacts. The result is a system that scales better on modern platforms.

The DNSSEC signing system has received a major update, and now uses the DNSSEC Key and Signing Policy (KASP) system for managing signed zones. The BIND team added more extended error codes and zone transfer statistics, updated our catalog zones implementation, and implemented the ProxyV2 protocol. ISC staff helped to incubate the Deleg proposal, which is now a new IETF working group, working on a standard for providing more information about the authoritative servers for a zone.

We evaluated, mitigated and published eleven BIND CVEs, several of which were dns-wide multi-vendor issues at the protocol level, requiring extensive coordination with other parties. These vulnerabilities take longer to fix and publish, because of the overhead of coordinating with other teams. Historically, most of our CVEs have been assertion failures, but lately there has been a lot of research into overloading different elements of the DNS, resulting in a number of CVEs that can exhaust resources. Some of the mitigations will necessarily require placing limits on the size or number of records BIND will process, which may end up requiring configuration changes for some users. 

• CVE-2023-4408: Parsing large DNS messages may cause excessive CPU load
• CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
• CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
• CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled
• CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
• CVE-2023-5680: Cleaning an ECS-enabled cache may cause excessive CPU load
• CVE-2023-6516: Specific recursive query patterns may lead to an out-of-memory condition
• CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable
• CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name
• CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
• CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content

As an open source project, anyone open an issue in our repository, and many people do. The BIND team has a generous backlog of (as of this minute) 613 open issues. They typically close between 25 and 50 per monthly release, so there is plenty to choose from. Of the open issues, 96 are labelled as bugs, 132 are feature requests, 22 are labelled documentation issues and 70 are ToDo items related to tests.

Our bind-users mailing list has continued to be busy and provide helpful advice. We currently have 2408 subscribers to bind-users. We encourage all users to subscribe to the very low-traffic bind-announce mailing list, where we announce new releases and feature deprecation. Current subscribers to bind-announce: 3459.

Kea

We plan to post a separate blog going into more details on the many accomplishments in the Kea project in 2024, but here are a few highlights:

We released 12 Kea releases, including a new stable version, Kea 2.6. We created the Kea-migration page on the website, put up a live Kea migration utility on the web, and released a packaged version of the KeaMA utility.

We have seen Kea adoption and deployment expanding into a wider range of enterprise environments; our early adopters tended to be access providers (ISPs). Questions about ISC DHCP migration continue, and probably will continue for several more years.

The Kea project is very busy, and also has a healthy number of open issues, 690 at this writing. The monthly development releases typically resolve 20 - 35 issues. Of the open issues, 44 are labelled bugs and 137 are labelled enhancement or feature. The kea-users mailing list is growing, and has provided a lot of users with configuration help this past year. At this writing the list has 558 members.

Stork

Stork has come a long way in 2024, breaking out from a read-only monitoring system to provide comprehensive configuration control for Kea. We released 8 versions, including Stork 2.0, issued in November. With that release, we began offering professional support for Stork, and included it under our ISC Software Support and Security Vulnerability Disclosure policy documents. 

We launched a live demo site for Stork (demo.stork.isc.org) to let prospective users try it out with minimal effort. Our marketing team is thrilled to finally have a product with interesting screen shots!

We have ramped up our efforts to track potential vulnerabilities in the Stork dependencies, because the web ecosystem tends to have relatively frequent issues, and we published our first Stork CVE:

[CVE-2024-28872: Incorrect TLS certificate validation can lead to escalated privileges](CVE-2024-28872: Incorrect TLS certificate validation can lead to escalated privileges)

F-root

ISC added new F-Root sites in Belgrade (Serbia), Pavlodar (Kazakhstan), Lviv (Ukraine), San Pedro Sula (Honduras) and replaced the equipment in Warsaw (Poland), with thanks to our site sponsors.

ISC’s support customer base

We have literally no idea how many users there are of our software, but we have frequent, excellent communications with our support customers. ISC’s technical support services fund all the rest of our operations, including the development and maintenance of our open source. 2024 was a good year for our technical support service.

We hired two new support engineers, which required interviewing dozens of candidates. These additions brought our support team up to a total of 7 engineers, including the Director of Support (who is also a capable support engineer, of course).

In the middle of the summer, we migrated all our support customers and their open tickets from a large commercial support system, back to our old open source ticketing system, Best Practical’s Request Tracker. It turned out that our support customers preferred the email and text interface of the older system to the vastly fancier, and more complicated, commercial system.

We implemented a new process for publishing Advance Security Notifications to our customers, using the ticketing system.  We heard that some of our support customers don’t follow our announcement mailing lists, so we added announcement channels in our ticketing system.

2024 saw a significant increase in requests for assistance in migrating from ISC DHCP to Kea, both on the mailing lists, and among our support customers. 

Support customer numbers

We have 187 total customers with Basic, Enterprise or OEM support agreements that extend into 2025.   88 of these customers have BIND support contracts, and 95 have Kea and/or DHCP contracts. 144 of our customers were returning from prior years, 43 were new to us.  This is a net of 34 more support customers than we had at the start of 2024, so we more than replaced the few customers who did not renew. 

We have a total of 211 on-going support contracts, because many customers have support from us for multiple products.  

Support customers by region: 

North America 101 Europe 57 APAC 19 South America 5 ROW 5 (includes Middle East, Africa and India) In addition, we entered 2025 with 43 subscribers for Kea Premium whose subscriptions extend beyond 2024. These customers are self-supporting, with the help of the public kea-users mailing list. 

ISC’s Knowledgebase

We published or updated 69 articles, including 12 new CVE advisories. New articles cover such topics as; a Stork Quickstart, Stork LDAP Authentication, Private networks and split DNS, RRset limits in zones, Redefining Standard Options, Exempting broken domains in recursion, Altering the Subnet Mask Option Based on giaddr, The Umbrella feature in detail, and A Brief Introduction to LDAP.

The top 10 most-read articles in 2024 were:

1. BIND 9 Security Vulnerability Matrix
2. ISC DHCP 4.1 Manual Pages - dhcpd.conf
3. BIND Logging - some basic recommendations
4. ISC DHCP 4.4 Manual Pages - dhcp-options
5. ISC Packages for BIND 9
6. CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
7. CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
8. ISC DHCP 4.4 Manual Pages - dhcpd.conf
9. Understanding views in BIND 9, with examples
10. Using Official ISC Packages for Kea

Several years ago we put the ISC DHCP man pages into documents in the KB and ever since, these have been astonishingly popular. There are fewer articles on Kea in our knowledgebase, and fewer views, in part because the Kea ARM is quite comprehensive, and provides more detailed configuration advice, than the BIND ARM. BIND is the most frequently read category with 167.67 views.

The top searches in the KB were for “windows”, “logging”, “cve-2023-50387”, “failover”, “ipv6”, “dnssec”, “rndc”, “next-server”, “ddns”, “CVE-2023-50868” and “Docker”. We ended support for BIND on Windows several years ago and people continue to discover this today and are disappointed.

ISC contributions to external open source projects and community programs

ISC encourages staff to participate in the Internet infrastructure technical community. Several staff currently have specific roles outside of ISC.

DNS-OARC

• ISC is an organization member of OARC.
• Ray Bellis is a member of the Board of Directors of DNS-OARC.
• Cathy Almond is the Chair of the Program Committee of DNS-OARC.

NANOG

TMarc Jones is a member of the NANOG Community Engagement Committee.

ICANN

• Jeff Osborn is Chair of the Root Server System Advisory Committee (RSSAC).
• Rob Carolina is ISC’s Alternative Representative on RSSAC.
• Ondřej Surý is a Trusted Community Representative and Recovery Key Share Holder for the DNS Root zone.

IETF

• Petr Špaček is ICANN Liaison for IETF, and a member of the expert reviewer team for the DNS Directorate.
• While ISC staff participated in reviews and discussions of numerous IETF documents, only one document authored by an ISC staff person reached RFC status in 2024, DHCPv6 Options for the Homenet Naming Authority  (https://datatracker.ietf.org/doc/html/rfc9527), co-authored by Tomek Mrugalski of ISC.

Open Source contributions to non-ISC projects

Obviously, staff are welcome to contribute to external projects. These are some of our code contributions.

Michał Kępień

• https://github.com/libgit2/pygit2/pull/1282
• https://github.com/openwrt/openwrt/pull/13453
• https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111613
• https://github.com/libgit2/libgit2/pull/6973

Michal Nowak

• https://github.com/libuv/libuv/issues/4584
• https://github.com/rthalley/dnspython/issues/1055
• https://github.com/rthalley/dnspython/issues/1034

Sławek Figiel

• https://github.com/shirou/gopsutil - Fix a bug occuring on BSD-like systems
• https://github.com/goreleaser/nfpm - Enable environment variable substitution for a configuration option

Tomek Mrugalski implemented DNR option sending in Wireshark. The wireshark patch was submitted upstream.

Ondřej Surý led the effort to update the PHP packages in next Debian stable (trixie) to PHP 8.4 and is running the highly successful https://deb.sury.org project that provides multiple PHP version packages for Debian and Ubuntu.

ISC sponsored work in the libuv project, to add the uv_udp_try_send2() function.

Other Community engagement

ISC published 18 blogs in 2024. ISC staff delivered at least 8 presentations at community events. ISC abandoned X a long time ago: in 2024 we added a Bluesky account to our social media presence.

ISC did not give any webinars in 2024. Our usual presenter was unavailable, and the viewership for these events had declined over the years, giving us the impression that these were no longer worth the effort. 

ISC sponsored an information table at all three 2024 NANOGs, sponsored a scholarship program for All Things Open for local user groups, and contributed to the 2024 BSDCan.