Nixu Software Web Journal

As all of you who have read my previous blog entry recall, business has been looking really positive here at Nixu Software regardless of the economic malaise surrounding us. At times, I have almost been feeling a little schizophrenic, given the discrepancy between the media coverage and what we have been witnessing ourselves.

During times like this, I think it’s pretty healthy for companies to start looking around for weak signals on where the world is heading after the smoke has cleared, to see if their strategy still aligns with the world we live in once the next upturn starts. After all, economic downturns and downright recessions are capitalism’s way of cleaning up the table, to pave the way for new technologies and companies that make this world a better place for us all to live in. When the next upturn comes - and trust me, it will come - we all want to make sure that we have positioned ourselves right bearing the new situation in mind.

There’s actually a great little book that relates to this, Who Moved My Cheese by Spencer Johnson, M.D. It’s a story about two little mice, Sniff and Scurry, and about two little people, Hem and Haw. While the two little mice are always quick to sense the upcoming change and act upon it immediately, Hem and Haw are more concerned about preserving the status quo and enjoying their comfortable lifestyle, until they realize that someone moved their cheese. As far as Nixu Software is concerned, we’ve always tried to act like Sniff and Scurry, the two agile mice, rather than as Hem and Haw.

Of course, being a mouse doesn’t come without downsides. There will always be cats around. Some of these cats are copycats tempted by the quality and the quantity of the cheese Sniff and Scurry found from the Maze. Some are there only for the thrill of chasing down the mice, with little genuine regard for the cheese itself. And the cats come in all colours: some of them are black, some white, and some blue. Luckily, as long as Sniff and Scurry have found their quality cheese in time, they have gained a rat-like size that helps them in keeping the cats at bay. Especially if the cat is just a kitten that doesn’t walk his talk.

Now, you may be wondering what all this has to do with virtualization-ready DNS, DHCP and IPAM software appliances. Please allow me to explain.

Today, I noticed that Bluecat Networks had become rather tempted by the cheese Nixu Software has found and wants to join the party. As such, we’re significantly ahead of the competition in this space and so I’m more than happy to welcome anyone to compete with us. Especially as Copycat… sorry… Bluecat Networks doesn’t even have a virtual appliance they could offer to the market. This is a direct quote from their press release published this week: ”BlueCat Networks will be making its virtual appliances available to select customers for Early Adopter testing.” Will be making… Select customers… Early Adopter testing… I guess Copycat thinks selling paperware as opposed to software is a great strategy!

But not having products is not why I decided to write this blog. Rather, this entry stems from the comedy of the visual elements they are now using at Bluecat Networks’ website. Below, please see a screenshot of Nixu Software’s website that has been online for a lot more than a year now:

Here is Bluecat’s new homepage they published this week:

Notice any similarities?

No products and visual clues ripped off from others… Well, at least they were able to write the press release.

About a year ago, I posted a blog entry on my predictions for 2008.

As it turned out, they were more or less spot on: server virtualization did indeed gain some serious momentum over the last 12 months, and we saw a flurry of end-user organizations migrating their DNS, DHCP and IPAM servers to virtual computing environments. And so, although the news headlines have been all about doom and gloom over the last few months, the market for Nixu Software’s virtualization-ready DNS, DHCP and IPAM software appliances has remained as strong as ever. In fact, we’re now projecting solid three-figure growth (as in hundreds of percent) for H1 2009 vs. H1 2008, regardless of the economic turmoil that surrounds us.

Now, if you are even close to being as critical as I am, and have been reading money.cnn.com as of late,  you might be wondering if yours truly is a) delusional, b) full of it xxit, c) something of a simpleton, or d) all of the above. Rest assured, I am none. Rather, I think our recent success is explained by two factors: server virtualization and Mordacs. Please check out the link and allow me to explain.

This comic strip on Mordac depicts a classic example of what happens when organizations end up running plain BIND and DHCPD servers in their network. Mordac compiles the source code on the OS of his choice… Then he does a bit of fine-tuning… A few little configs here and there… And a few short weeks later, voilá - you now have at least somewhat operational DNS and DHCP services in your network.

Now that Mordac has taken care of his job, he goes on holiday. He has deserved it, mind you, because of all the hard work he put into building you a network. And although Mordac already had used up all his annual leave, his boss has no other choice but to allow him to venture off to Russia, because Mordac happens to be holding the entire organization a hostage. If Mordac left, his boss would have to write off the entire business infrastructure as no one else really knows how all that stuff works. Mordac has put it all together, you see. And while this of course is all good news for Mordac’s perceived job security, it’s not so good news for his employer, being at the other end of the stick and all.

And so, while Mordac is still submarining away somewhere off the Siberian coastline, his boss starts asking the difficult questions. He knows they’ll have to cut down the overheads in the near term, so he has started thinking about consolidating their network services and applications to a virtual computing environment. This would reduce the server management overheads, as well as create savings on the utilities and data centre costs. He has also been thinking about finding a supported, commercial DNS and IPAM solution that would allow his team to simplify network management, to streamline operations. This would allow him to transfer Mordac into more productive development projects where he got some real work done, rather than hiding away in the broom closet with the DNS servers, as he usually does. After all, Mordac’s boss is currently paying a consultant $200 per hour to do this work, so assigning Mordac to these tasks would save the organization almost $30,000 per month.

Surfing the Internet, Mordac’s boss lands at Nixu Software’s homepage. These guys are selling software appliances for DNS, DHCP and IPAM that even the boss himself can install in 10 minutes. Better yet, these Nixu Products are available as software appliances that can be run as VMs on his Citrix and VMware platforms at only $495 per server per year, without the cost of hardware and hw maintenance associated with hardware appliances. And this $495 per server per year, by the way, is almost exactly the same amount that Mordac costs his company each day…

My prediction for 2009? More of the same.

To learn more about Nixu Products, please visit www.nixusoftware.com.

As my regular readers may remember, Nixu Software entered into a technology partnership with XenSource in early 2007 before the company was acquired by Citrix in August 2007. Over the last 18 months, our product team has been working quite actively with XenServer, doing beta testing and making sure that different Nixu Products can be run seamlessly as paravirtualized virtual machines on Citrix’s XenServer platform.

As many of you know, Citrix has put a massive development effort into the latest XenServer 5, to create an enterprise / carrier grade virtualization platform offering the level of performance and availability required in business critical production environments. Having visited the Citrix Summit in Orlando this October and seen XenServer 5.0 in action, I couldn’t help but to be immensely impressed with what they had done. All the right qualities and features were there: performance, availability and user-friendly management utilities all in a competitively priced, affordable package.

As I have said here before, Nixu Software’s strategy is based on the assumption that to show return on virtualization investment, organizations must virtualize as many (network) services and applications as possible. To put this into a context, I think iPod serves as a great analogy: while iPod is certainly a great MP3 player, it would be of very little value to its owners if they didn’t have any music files in the player. In much the same way, no matter how great a virtualization platform you were running, it would be of very little value if you did not run any services or applications in it.

Of course, another thing that made iPod a huge hit for Apple was the fact that they were smart enough to launch iTunes along with iPod. Had it been difficult to download MP3 files to iPods, it would have been only the hardcore Apple fanatics and early-adopters who could have been bothered to do it. But with an online service such as iTunes, quality content was readily available to anyone and could easily be exported to, and run in, iPod.

Following this same analogy, we decided to certify Nixu Products as Citrix Ready. The idea here is to make it as easy and cost-efficient as possible for end-users running Citrix XenServer to migrate their existing DNS, DHCP and IPAM to virtual machine environment. To verify the viability of this proposition, Citrix agreed to test Nixu Products in-house to make sure that our products really are as good as we claim. And they were.

To find out Citrix’s exact position on Nixu Products, please click here to read Craig Ellrod’s excellent blog entry at Citrix Community on his impressions on the goods we deliver. Should this make you interested in giving them a go yourself, all you have to do is to register an evaluation at our website, download an ISO installation media, and boot up a new virtual machine in your XenServer. There are a few simple steps you will have to take to switch the resulting vm to paravirtualized mode - please find the instructions below.

Paravirtualizing Nixu Products in Citrix XenServer

1. Obtain Nixu SNS, Nixu DHCP Server, or Nixu NameSurfer Suite ISO image installation media and license key from www.nixusoftware.com.

2. Burn the ISO image on CD (or use virtual CD-drive)

3. Install Citrix XenEnterprise 4.1.0 or newer

4. Create a new VM using “Other Install Media” option; at the minimum, allocate 256MBs of RAM, 6-8GBs of disk space, and 1 CPU.

5. Create the VM and boot it from the ISO image. For basic installation, select “single” in the hard drive setup.

6. Log in and configure ip address, netmask and gateway for the Nixu Product. When installing Nixu NameSurfer Suite, execute installation script after this; please note that Nixu SNS and Nixu DHCP Server will execute installation script automatically.

7. Install XenTools and the accompanying kernel:

# cd /media

# mount cdrom

# cd cdrom/Linux

# ./install.sh

Kernel for Nixu products running CentOS 4 platform is:

vmlinuz-2.6.9-67.0.4.EL.xs4.1.0.19xenU

8. Shut down the VM.

9. Change the VM to PV guest as follows (the instructions have been extracted from:

http://community.citrix.com/blogs/citrite/anilma/2008/07/02/Installing+Ubuntu+on+XenServer)

From the control domain console of your XenServer:

9a) Determine the UUID of the Nixu Product VM (e.g. Nixu SNS) by using the xe CLI:

# xe vm-list | more

<click-drag to highlight. Right click to copy, paste uuid.>

If you are logged into the control domain, pressing the <tab> key will perform auto-completion of UUIDs in subsequent XE commands, so you don’t need to keep typing it in every time!

9b) Clear the HVM Boot mode from the VM:

# xe vm-param-set uuid=<uuid> HVM-boot-policy=

9c) Switch the VM to using to the pygrub bootloader which starts the guest in PV mode by examining its filesystem for kernel:

# xe vm-param-set uuid=<uuid> PV-bootloader=pygrub

9d) configure the kernel boot arguments to display the login console on the correct TTY, so that it shows up in the XenCenter console:

# xe vm-param-set uuid=<uuid> PV-args=”console=tty0 xencons=tty”

9e) Next, you need to flag the root disk of the VM as bootable so that pygrub knows where to look for the PV kernel:

# xe vm-disk-list uuid=<uuid>

9f) Look for the UUID of the VBD for the disk. VBD stands for “Virtual Block Device” and represents how to map the virtual disk into the virtual machine:

# xe vbd-param-set uuid=<vbd uuid> bootable=true

This will set the root disk VBD to be bootable.

9g) Start the VM and check that Virtualization in General tab is “Optimized” and everything works:

# xe vm-start uuid=<vm uuid>

Like so many people, I too enjoy detective stories. For people interested in network security, there’s at least Henning Mankell’s Firewall, a fictional account of how detective Wallander from the small Swedish town of Ystad solves a cybercrime - or a conspiracy, really - threatening the entire world. Granted, some parts of the novel may seem a little naive for people working actively in the field of network security, but it’s none the less an entertaining read, as Wallander books tend to be.

Anyhow, assuming you share my fascination towards detective stories and DNS, I’m sure you’ll enjoy the story on Kaminsky Vulnerability published in the latest issue of Wired Magazine. It’s almost like reading a detective short story - but unlike most short stories, this one is based on reality.  To read the article online, please click here.

As an interesting sidenote, Andreas Gustafsson appearing in this story is actually the same guy who was the mastermind behind the proprietary primary DNS server we still use in Nixu NameSurfer today. After having developed the ‘ns process’ used in our proprietary DNS server, Andreas moved on to Nominum to develop BIND 9. But this of course is a different story altogether, with no detectives involved!

As many of you recall, Nixu Software launched a free online service at howismydns.com in March 2008. Since launching the website, we’ve been seeing a constantly increasing number of visitors utilizing the online test tools to check the health of their public DNS service. In fact, it currently looks like we’ll be blowing past the 10,000 page requests per day mark any day now.

Interestingly enough, we’ve also been approached by a number of TLD operators interested in providing a similar service for their own top-level domains. To address their exact requirements, we’ve continued the development of the engine used at howismydns.com, to allow TLDs to meet their country-specific decrees on how DNS servers should be set up, as well as to create even more value to people using our online tools at How Is My DNS?.

Having finalized the development of version 2 of the DNS checking engine a while back, we’ve now upgraded the server running behind the free online service to the latest and greatest. Please do give it a go, to see what we’ve done: there’s a number of new tests the engine now performs, making it even more valuable tool for network admins.

As it happened, I was interested in seeing how the networking community has responded to the free tools at howismydns.com and decided to run a Google search using the phrase. In the search results, I found a rather flattering post on the service - thanks be4u! In case you’re reading this, I hope the new version of the service is even more useful than the first one.

On October 30, I published Jake Sorofman’s great article “Cutting with a Scalpel: IT Budget Planning in a Down Economy” here at this blog. For a full story, please click here.

To make the long story short,  Jake opinioned that as IT has become rather entwiened with business models, cutting IT budgets with a hatchet will translate to trouble as the business picks up again, because the degraded IT infrastructure will not be able to scale up as business starts expanding again. Given this, smart CIOs cut costs during economic downturn with scalpels rather than hatchets, to make sure that business-critical infrastructure continues to be maintained and developed regardless of the economic landscape.

At least as far as I’m concerned, this makes perfect sense: when it comes to networking technologies in general, and D-services (DNS & DHCP) and IP address management (IPAM) in specific, there are at least three emerging technology trends that will have a huge impact on business infrastructure and operations carried out using it. These are server virtualization, IPv6 and DNSSEC. Here’s why.

Despite the economic turmoil that has been going on over the last few months, IT departments all over the world are looking at new emerging technologies creating discontinuities in the way in which networks and applications are being consumed and run. Some of the most profound discontinuities include the following:

1. Virtualization is gaining further momentum as organizations continue the consolidation of their computing resources. This creates a paradigm shift in how applications and network services are being run, as the only way to show ROI on virtualization investment is to migrate as many services and applications as possible to the virtual computing environment.
2. RIPE will be running out of IPv4 blocks that it can allocate over the course of next 18 months or so. This makes public IPv4 addresses a scarce resource, requiring organizations to make their networks IPv6 compliant sooner rather than later. Gradual shift to IPv6 enabled networks also places IP Address Management (IPAM) at the center stage, as the number of IPs that have to be managed doubles during the transition period from IPv4 to IPv6.
3. The Kaminsky vulnerability announced in July 2008 has made DNS one of the most urgent Internet security problems. While a new technology called DNS Security Extensions (DNSSEC) has been introduced to address the related security concerns, it makes DNS management an increasingly complicated and time-consuming task, as it adds new zone signing and key management task to DNS management processes.

Now, back in the 90s when organizations were initially designing and implementing their existing computing and network environments, on which business operations continue to trust today, organizations had ample resources set aside for designing and implementing them. This time around, however, it looks like the second generation of ICT infrastructure will have to designed and implemented with significantly lesser resources. Luckily, there are now solutions out there allowing organizations to accomplish this seemingly impossible goal successfully.

Nixu Software specializes in virtualization-ready software appliances designed for DNS, DHCP, and IP Address Management, with a mission to create the benchmark for the combination of security, ease-of-use, and lowest TCO in its industry. Thanks to its technology alliances with virtualization industry leaders VMware and Citrix, and with product portfolio already supporting DNSSEC and IPv6, Nixu Software is uniquely positioned to provide your company with the goods your customers are looking for.

In practice, Nixu Software’s mission is to make it as easy and cost-efficient as possible for organizations to address these future trends, thereby ensuring the viability of their business infrastructure and operations as we enter into 2010s. For further details on Nixu Products, please visit our website.

Jake Sorfoman,  VP of Marketing at rPath, just sent me an interesting note on Barak Obama’s upcoming presidency and the impact it may have on IT transformation. As always, Jake made some rather interesting points in his piece, so I thought I’d share his views with you all. After all, the whole world is likely to be affected by President Obama’s politics, not just the US, so I’m sure this is of at least some interest to us all on this planet called Earth.

The Winds of Change: How Presidential Politics Informs IT Transformation

“For most people, the prospect of fundamental change is about as comforting as a root canal. By their state of nature, most people are change averse, preferring the quiet predictability of the status quo to the frothy tumult of a fundamental shift.

That is, until change seems to be the only tenable answer.

America voted for change during this election cycle because change seemed to be the only tenable answer. Putting politics aside, few will argue against the notion that this country faces some great challenges, many of which are fairly troubling. This sort of recognition tends to trigger a shift in our tolerance for change. It makes us more willing to think differently, take on an element of risk, and accept a degree of near-term uncertainty in exchange for the prospect of a longer-term payoff.

This is as true in presidential politics as it is in information technology.

Technology wasn’t a major theme of the 2008 presidential race. With all the issues keeping us up at night, IT policy simply didn’t rise to the top of either campaign agenda. Certainly, both candidates had technology platforms, but the emphasis was elsewhere during this election cycle.

Let’s face it: neither candidate is exactly Al Gore when it comes to technology (I’m exercising restraint on Internet jokes here). Sen. McCain’s technology experience is long in policy and short in practice; he has served on the Commerce Committee in the Senate and was involved in the seminal Telecommunications Act of 1996. But, by his own admission, he’s never sent e-mail. Sen. Obama was served well by an impressive campaign machine with a strong emphasis on e-marketing, personalization and social media, but by many accounts, he’s no power user either.

Change comes in cycles, which are impossible to predict, but unmistakable when they occur. I would argue that we’re in a change cycle today — both in terms of presidential politics and IT leadership. Just as the public voted that the old way was no longer serving us well, the same sort of vote is happening in enterprises today. Yesterday’s costly, rigid and monolithic IT architectures are giving way to a new approach centered on the principles of virtualization, cloud computing, and service orientation of application functionality.

But the reality is that this sort of IT change requires a significant rethinking of approaches to leadership. It requires a change agent who embodies many of the characteristics that elevated a Junior Senator from Illinois to the highest office in the land. Today’s IT leaders can learn from what we saw on the political stage:

A bias for change

At its most basic level, when people are in pain, it’s critical to tell a story that encompasses change at its most fundamental level. In presidential politics as well as IT leadership, the truth is that people typically gravitate to optimism, hope and positive sentiment — they want something to believe in. Have the courage to take a stand with conviction and become an agent of change. Be courageous.

Inspirational leadership

There’s no excuse for a lack of passion. Believe deeply in what you say and do — if you don’t, find a way to convincingly fake it. Paint a picture for the future — the shining city on the hill — that energizes, excites and inspires. Get out of the weeds and learn to tell a story that speaks to value, pain and outcomes.

A willingness to invest in the future

Take a short-term hit for a future benefit. Get people on board with the reality that change isn’t cheap and everyone needs to make some sacrifices for transformational benefit. This means freeing budget in challenging economic times, and it means project tradeoffs that may yield some near-term discomfort. Have the courage to place some bets and take some risk. Incremental thinking is not the friend of change.

A global outlook

Learn to be empathic about your constituents’ needs, wants and aspirations. Strike a balance between say-anything, do-anything pandering and rigid ideology and provincialism. Put yourself in the shoes of others and try to internalize their points of view. Shape the narrative of your IT transformation based on the specific anecdotes you capture. Tell stories that are respectful and inclusive of diverse needs.

A current perspective

Stay on top of current trends. You don’t need to become a Web 2.0 junkie, but learn to understand the prevailing culture of innovation. You may not be in a position to embrace every new trend that emerges, but you’ll almost certainly benefit from understanding the principles of emerging trends and weaving them into the fabric of your vision for transformation.

Setting politics aside…

Aside from religion, politics may be the most dangerous third rail of polite conversation. This perspective is not meant to be politically ideological, but to share a perspective on what worked so brilliantly well this campaign season and how that can be applied to your role as an agent of change. During his gracious concession speech, Sen. McCain called for us all to come together in support of change. This is an important call to action for both politics and IT. This is the opportunity to think differently, act and believe. Take a page from the book of American President #44: hope is the true catalyst for change.”

Having written a lot about virtualization and cloud computing in this blog, it has been fascinating to see how that proposition has been gaining traction over the last few months. And not only in media either, as we’ve spotted a large number of real organizations out there riding the virtualization trend. As a matter of fact, as much as 85% of our direct sales are now made to organizations running Nixu Products in virtualized computing environments.

Despite the economic and financial turmoil, it really seems like many organizations are working actively on virtualization and cloud computing initiatives, to realize the efficiencies and enjoy the financial gains it promises. In fact, this is also the reason why I haven’t been writing recently: our virtualization-ready software appliance proposition has been gaining such a good traction over the last few months that we’ve spent all our time catering to the needs of customers making their way to the virtual land.

Luckily, there are some great minds out there who are more than willing to help us out in providing you with quality content. Jake Sorofman, the VP of Marketing for rPath (the other software appliance pioneer) just recently forwarded us an excellent piece on virtualization and cloud computing; the way in which the current economic trend impacts these underlying trends; and how that relates to IT Budget Planning. I couldn’t agree  more with Jake so please find his insights below.

Cutting with a Scalpel: IT Budget Planning in a Down Economy

“If you’ve followed the recent presidential debates, you’re probably familiar with the “hatchet and scalpel” metaphor for fiscal planning. By one candidate’s logic, the hatchet is the old way of cutting budgets during a down economy: wholesale reductions across the board, with little regard for the relative value of programs.  In this context, a single hatchet stroke cuts fat, while also cutting away the muscle and bone that is fundamental to setting the economy back on track.

The new and perhaps more enlightened approach, this candidate suggests, is to use a scalpel to make precision cuts at just the programs that can be sacrificed, while preserving investment in the areas required for future growth and transformation.

This metaphor is equally apt for thinking about IT budget policy.

During the last recession, IT organizations learned the high cost of cutting with a hatchet. By their own admission, many IT organizations cut too deeply, hacking at IT spending in a way that left organizations weakened and unprepared to fully exploit the opportunity presented by the subsequent economic expansion. What was seemingly lost on some folks was the fact that IT had become so fundamentally entwined in business models — even for traditional old-line organizations — that wholesale contraction in IT spending was penny-wise and pound-foolish.

This time around, the prudent CIO will cut with a scalpel, ensuring that adequate investments are made in foundational technologies that will help transform the delivery and consumption of enabling technologies.

A recent podcast conversation between pundit foursome Dana Gardner, Tony Baer, Jim Kobielus and Dave Linthicum supports this point, suggesting that interest and investment will continue for transformational IT approaches like cloud computing.

This finding is corroborated by a recent rPath webinar, “The Pragmatist’s Guide to Cloud Computing: A 5-Step Framework for Achieving the Strategic Value of Cloud Computing While Delivering Real ROI Along the Way,” which introduced the concept of The Cloud Computing Adoption Model as a graduated approach to cloud transformation.  A poll conducted during this very well-attended webinar clearly indicated that spending continues in virtualization and cloud technologies at paces equal to and often far exceeding pre-recessionary levels. In fact, only 5.9% of respondents expected to see declining investment in these areas, which is quite a statement when you consider the downward pressure facing most IT budgets.

Reading between the lines, the story appears to be that organizations will continue investing in these areas, because they recognize that change is necessary. The old way of delivering and consuming technology has become far too slow and expensive, and new models like virtualization and cloud have begun to shine light on a more sensible model that organizations must embrace to remain competitive. Forgoing investment in these areas during challenging economic times is the sort of hatchet-based IT budget policy that would have deep and lasting consequences.

But while they recognize that this sort of transformational change is necessary, prudent organizations aren’t willing to dive headlong into change without the promise of near-term impact. Tony Baer refers to this as “tactical transformation,” his admittedly oxymoronic take on what I believe is the zeitgeist of IT today.

According to Baer, “in times like these, obviously you have changing economic conditions — changing in a very unpredictable manner. On the other hand, the financial crunch and the credit crunch [are] going to restrict the amount of resources you have at your disposal. So, you’re basically going to look very opportunistically. You are going to look at, let’s say, the low-hanging fruit that will give you the greatest gain in savings or a way to respond to the market in a more agile manner.”

This is consistent with the goal of The Cloud Computing Adoption Model, which aspires to help organizations realize the benefits of virtualization and cloud on the path to a gradual transformation. It’s grounded in the reality that, while organizations recognize the need for change, intergalactic concepts and overstated promises are increasingly overtaken by a cooler, more pragmatic approach.

Investments in transformational areas of IT like virtualization and cloud will continue, but they must occur stepwise with tangible business impact. Change for the sake of change, or change toward the promise of payoff on some distant horizon, simply won’t hold up to scrutiny. Taking a hatchet to IT budgets may be somewhat out of vogue, but that certainly doesn’t grant anyone a blank check for even the most strategic investments. The new IT mantra is both pragmatic and progressive: tangible benefits today, while laying the foundation for transformation tomorrow.”

Jake Sorofman is vice president of marketing for rPath, the pioneer and leader in technology for virtualizing software applications and managing the complete lifecycle of virtual appliances and application images for cloud and virtualized environments. Learn more about rPath at http://www.rpath.com, and contact Jake at jsorofman@rpath.com.

In my previous blog entry on July 9, I went on record by saying that the DNS vulnerability announced on July 8 was somewhat theoretical, as there were no incident reports on the vulnerability being exploited in the wild. And while that was indeed the case at the time of writing, the situation changed for the worse rather drastically towards the end of July, as tools designed to exploit this vulnerability were made public. Not long after that, SANS reported the first confirmed instance of DNS cache poisoning utilizing this vulnerability (on July 30). Finally, to up the ante, Dan Kaminsky stated yesterday at Black Hat 2008 in Las Vegas that this security flaw might also make other systems and services such as email, FTP and RADIUS vulnerable.

As the best way for your organization to protect itself against these threats is to update your (recursive) DNS servers with the patches issued on July 8, please make sure that the appropriate software updates have been applied to your machines.

—advertisement—

Better yet, if you would like to make sure that your DNS servers are patched up automatically whenever new DNS vulnerabilities are discovered, please take a look at Nixu Secure Name Server. At only $495 per server per year, your DNS servers will be automatically patched up, and you will also have an access to our helpdesk where qualified engineers answer your questions. This is great value for money, as our customers have recently noticed.

—advertisement—

On a somewhat lighter note, Dan Kaminsky also had a very nice illustration aid with him at Black Hat 2008. Namely, a Finnish company called Clarified Networks had created a visualization of the pace at which DNS servers around the world were patched up since this vulnerability became into public domain. If you’re interested in checking it out, the illustration is available at Clarified Networks’s website.

As many of you have noticed, US-CERT has issued a new security advisory VU#800113 on July 8 2008 according to which all BIND versions are vulnerable to cache poisoning. This vulnerability only affects BIND servers in which recursion has been enabled. For further information on this vulnerability, please see US-CERT’s full advisory here.

Following, please find a summary of how this vulnerability affects Nixu Products:

Nixu NameSurfer Suite

The proprietary primary DNS server included in Nixu NameSurfer Suite IS NOT affected by this vulnerability. Secure64 DNS and/or NSD servers run as DNS secondaries to Nixu NameSurfer Suite ARE NOT affected. BIND servers run as DNS secondaries to Nixu NameSurfer Suite are affected ONLY if recursion has been enabled in them.

For users that have enabled recursion on BIND servers run as DNS secondaries to Nixu NameSurfer primary, we recommend that BIND servers are updated to the latest version.

Nixu SNS (Secure Name Server)

The BIND version included in Nixu SNS was affected by this vulnerability if recursion was enabled. To address this issue, all users running Nixu SNS in which automated software updates have been enabled, have received a patched version of BIND (9.2.4-28.0.1.el4) on July 9 2008 by 7am GMT/2am EST that addresses the vulnerability announced in VU#800113 advisory.

All in all, I think we have covered our bases rather nicely.

General Notes

More generally, although this vulnerability has attracted a lot of attention this time around, the DNS cache poisoning attack technique used to exploit this vulnerability has been known for quite some time. And interestingly enough, there have been no real-life reports of incidents in which this technique (providing false name resolution to recursive DNS servers by spoofing the address of an authoritative DNS server and guessing the right transaction ID) would have been used. Of course, it may have been difficult to spot that, but still…

As one of my tech savvy colleagues at Nixu stated (hello Juhani! ), perhaps the most interesting thing about this entire episode was the fact that Dan Bernstein suggested the security improvements included in the latest BIND releases (as well as certain other caching DNS products) already some years ago when this attack technique was first discovered. However, it took a bit of time and the involvement of Dan Kaminsky and Paul Vixie to make this vulnerability a mainstream news item - and before that, having most caching DNS server vendors reacting to this issue. Please visit Doxpara Research’s website for further details.

Of course, it’s always a big positive when there’s a push for people to update their DNS servers. After all, not everyone does that as often as they should. But software updates aside, I think there might also be another political agenda at play here. As ISC stated in their summary on this vulnerability:

“A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack (emphasis is mine).”

Do they mean to say it’s high time for everyone to get their DNSSEC plans straight?