ISC Retrospective on 2014 Open Source Work

Most of our work at ISC falls into one of two major project categories: open source development and network services. We will review our 2014 accomplishments in network services in a separate post.

In 2014 we did a solid job of maintaining our primary open source projects, BIND 9 and ISC DHCP. We fixed more bugs in 2014 than were discovered or reported in 2014, even as we dedicated a lot of resources to addressing the resolver DDOS problem and maintaining our support for standards development.

BIND 9

BIND is the industry reference implementation of the DNS protocols and a significant open source program at ISC. In 2014 we made the difficult decision to cancel work on BIND 10, and re-focus on BIND 9. We have continued maintenance of BIND 9 and added a new feature branch. In 2015 we hope to add more resources to the BIND 9 program, improve our test coverage, and bring out another new feature branch, 18 months after the previous one.

Major accomplishments in 2014

• Released 9.8.7 & 9.8.8, 9.9.5 & 9.9.6, 9.10.0 & 9.10.1.
• Declared EOL for BIND 9.6 in January 2014 and for BIND 9.8 in December 2014.
• We added 24 new articles about BIND in our Knowledgebase (kb.isc.org)
• We posted an open BIND git repository
• We released the beta version of a new BIND DNSSEC Guide

Maintenance

RESOLVED 575 issues in 2014, (not counting those opened before 1/1/2011)*
OPENED 557 new issues in our bug tracker

• We made a special effort to review and accept more contributed patches. In 2014, we accepted, integrated, and released at least 35 contributed patches.
• Created special Windows releases for: 9.6, 9.8.7 & 9.9.5, fixing a bug that prevented dig and nslookup from exiting properly when run on MS Windows systems.
• Issued 4 –p sets of security releases.
• We made an average of 2.6 commits per DAY to the BIND master branch
• We use the Coverity open source scanning program extensively. BIND is showing an incredibly low defect density of 0.01, with 329,951 lines of code scanned. We added the Coverity badges that track the current status to our BIND and DHCP pages on the ISC website, so the information is readily available.

Security

The Heartbleed vulnerability discovered in OpenSSL had a big impact on the IT community, but did not impact BIND specifically.

We issued 5 CVEs, 3 of which were specific to 9.10:

1. CVE-2014-0591: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
2. CVE-2014-3214: A Defect in Prefetch Can Cause Recursive Servers to Crash (Affects recursive servers running BIND 9.10 only.)
3. CVE-2014-3859: BIND named can crash due to a defect in EDNS printing processing (Affects BIND 9.10 only)
4. CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND (Affects recursive servers only.)
5. CVE-2014-8680: Defects in GeoIP features can cause BIND to crash (Affects BIND 9.10 only)

Codenomicon ran some packet fuzzing test runs on BIND 9.10 for us in the summer of 2014. They ran millions of test cases, and found a vulnerability in “dig” which, on closer inspection, revealed a “packet of death” vulnerability in BIND 9.10.0. ISC issued an operational advisory explaining how to build BIND with gcc 4.9 to avoid the problem.

New feature development

• Launched BIND 9.10, with a new faster “map” format for zone files, pre-fetch, cookies, shared views, and new statistics formatting.
• Developed per-zone fetches, per-server fetches, and a hold-down timer for DDoS mitigation, which we trialed in our experimental service-provider branch
• Implemented negative trust anchor to ease deployment of DNSSEC validation, also available now in our premium subscription branch, coming in 2015 to the open source 9.11 release
• Implemented client-subnet-ID for authoritative service and began working on a design and project plan for full client-subnet-ID that will require external funding in 2015.

Contributions to DNS standards

ISC engineers invest considerable time and effort working on proposals for Internet standards. Below is a list of documents in process that ISC staff are writing or co-authoring.

• RFC 7314 Extension Mechanisms for DNS (EDNS) EXPIRE Option: M. Andrews
• Domain Name System (DNS) Cookies: D. Eastlake, M. Andrews
• RFC 6598-6303 Add 100.64.0.0/10 prefixes to IPv4 Locally-Served DNS Zones Registry: M. Andrews
• DNSSEC Key Rollover Timing Considerations: S. Morris, J. Ihren, J. Dickinson, W. Mekking
• A DNS Record for Confidential Comments (expired draft): E. Hunt, D. Mahoney
• A Common Operational Problem in DNS Servers - Failure To Respond: M. Andrews
• RFC 7343 An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers: J. Laganier, F. Dupont

ISC DHCP

ISC DHCP is distributed with most open-source operating systems and is incorporated into many commercial DDI/IPAM applications, as well as embedded devices. The software is mature and full-featured, but challenging to maintain. We are proud to have completed another year of aggressive maintenance, and to have released another feature branch. We added a new developer to the project in 2014. In 2015 we are hoping to taper off our work on ISC DHCP and focus more on Kea, the next-generation DHCP server from ISC.

Major accomplishments in 2014

• Released 4.1-ESVR9 & -R10, 4.2.6 & 4.2.7, 4.3.0 & 4.3.1
• Extended the date for End of Life for DHCP 4.1 another year (planned for December 2014, extended until December 2015)
• We created an open ISC DHCP git repository
• We accepted at least 11 contributed patches
• Added 12 new KB articles about ISC DHCP in our Knowledgebase (kb.isc.org)

Maintenance

RESOLVED 167 issues in 2014 (not counting those opened before 1/1/2009)**
OPENED 133 new issues in our bug tracker

We use the Coverity free scanning program for open source programs, and starting in April, 2014, we made it a priority to address our outstanding Coverity errors in the DHCP project. Since then we have reversed the trend, and right now we have a Coverity defect density of 0.09, which is excellent.

We determined that our DHCP client script could be a vector for the Shellshock BASH vulnerability discovered in 2014. We communicated with the operating system packagers (who create these client scripts) about this possibility.

New Feature Development We launched ISC DHCP 4.3.0, which we called our IPv6 “uplift” release. This release added more feature support for IPv6, including access to relay options, on-expiry/on-renew features, and class support. It also added OMAPI subclass control, and implemented the newer standardized DHCID resource record format.

In addition to the 4.3.0 feature release, we added 12 minor features requested by users in releases 4.3.1 and 4.3.2, with selective backporting to earlier releases.

Kea DHCP

Kea is our under-development next-generation DHCP server, intended to eventually replace the ISC DHCP server. Kea is a server only, and does not currently include a client or relay. Kea is intended to be more easily extended than ISC DHCP, and is designed for dynamic reconfiguration. We are encouraged by the interest in contributing to and deploying Kea that we have seen from the community in 2014. We plan to continue new feature development in 2015, making Kea suitable for datacenter or public wifi deployments.

Major accomplishments in 2014

• Released Kea 0.9, which separated Kea from the BIND 10 framework, making it a working standalone application. We also removed the dependency on Python and Botan.
• Began working on Kea 0.91, which is being developed in the open at https://gitlab.isc.org/isc-projects/kea
• We established a set of Kea interest mailing lists, which you can sign up for on the ISC mailing lists page
• We continued our partnership with Gdansk University, holding a hackathon there, and proposing several masters and PhD thesis projects.
• We opened a site on GitHub to accept contributions.
• We have accepted patches from the following: RedHat, CapGemini, CERN, Facebook, and 2 universities, Gdansk University and Silesian University.

ISC contributions to DHC standards development

ISC engineers invest considerable time and effort working on proposals for Internet standards. Among the more notable efforts in 2014 are the work on the DHCP proposal RFC3315bis, and the two DHCP privacy drafts. In addition to working on drafts, ISC Senior Software Engineer Tomasz Mrugalski co-chaired the IETF DHC working group in 2014.

• RFC 7227 Guidelines for Creating New DHCPv6 Options: D. Hankins, T. Mrugalski, M. Siodelski, S. Jiang, S. Krishnan
• RFC 7431 DHCPv4-over-DHCPv6 (DHCP 4o6) Transport: Q. Sun, Y. Cui, M. Siodelski, S. Krishnan, I. Farrer
• RFC 3315bis Dynamic Host Configuration Protocol for IPv6 (DHCPv6) bis: T. Mrugalski, M. Siodelski, B. Volz, A. Yourtchenko, M. Richardson, S. Jiang, T. Lemon
• Customizing DHCP Configuration on the Basis of Network Topology: T. Lemon, T. Mrugalski
• DHCPv6 Options for configuration of Softwire Address and Port Mapped Clients: T. Mrugalski, O. Troan, I. Farrer, S. Perreault, W. Dec, C. Bao, L. Yeh, X. Deng
• Privacy considerations for DHCP: S. Jiang, S. Krishnan, T. Mrugalski
• Privacy considerations for DHCPv6: S. Krishnan, T. Mrugalski, S. Jiang

Major Changes to Projects

• We released version 1.2 of BIND 10, ended the BIND 10 development project at ISC, renamed the BIND 10 components as Bundy, and released control of the source to be managed by the Bundy project, which has put it up on GitHub.
• We jettisoned the DNS-Co branding which had come to symbolize aggressive commercialization.
• We wrapped up the Open Home Gateway Forum, funded by Comcast.
• We removed all restrictions on our Knowledgebase and on our duplicate git repositories for BIND and ISC DHCP, so these resources are all free and open to anyone. Previously we reserved some access for subscribers only.

ISC 2014 conference presentations

• Apricot - DNS Response Rate Limiting presentation
• SELF (South East LinuxFest) - DNSSEC Signing Your Zones
• APNIC - 10 Years of F-Root
• UKNOF - Kea overview, Resolver DDOS Mitigation
• NANOG - How to Fund Open Source
• DNS-OARC - Case Preservation in BIND
• ICANN 50 & 51 - DNS Server panel discussion on tech day at both events, How to Fund Open Source
• AFRINIC - F-Root in Africa
• LISA - DNS Response Rate Limiting mini-tutorial

In addition, we held 2 webinars and organized a meeting about DNS resolver DDOS mitigation measures at the 90th IETF in Toronto.

* Date chosen to represent “current applicable issues.” We released BIND 9.9.0 in February, 2011.

** Date chosen to represent “current applicable issues.” We released ISC DHCP 4.1.0 in December, 2008.