HP transmitted a Security Bulletin for MPE/iX yesterday. Such a bulletin is a rare thing for the HP 3000, which is often protected by its unique architecture and design. But adopting an open source standard for Domain Name Services (DNS) has cut off the system, now that DNS caches are at risk.
The HP bulletin reports a security breech of BIND/iX, the software that has provided DNS for the 3000 since 1998. HP reports that the DNS cache poisoning of last year is permitted by BIND/iX 9.3.0, which is inside MPE/iX 6.5, 7.0 and 7.5, HP says. (You'll need a login and password to read the text off the HP IT Response Center Web page.)
DNS is not a widely-used service hosted on HP 3000s. When HP rolled BIND/iX out more than 10 years ago, it called DNS “a basic Internet service that’s been lacking from the HP 3000,” and noted that the addition will help sites bypass Unix or Windows systems and create all-3000 intranets.
But even if BIND isn't that important to the community, there's news in the Resolution part of the bulletin, which says,"The resolution is to discontinue the use of BIND/iX and migrate DNS services to another platform." This is as clear a message as any that the HP patch era for the 3000 has ended. Last year HP announced that it would not create any more patches for the 3000, starting in 2009 — not even patches for security risks.
The company is capable of closing this security hole. HP created a patch to fix BIND on HP-UX back in the summertime. By August 8, Unix users could apply a patch to BIND 9.3.2 or BIND 9.2.0.
It's good fortune this time that the DNS services on 3000s are not used much in the community. Despite HP's Internet and Inteoperability endeavors of the late '90s, most customers now devote a Windows or Linux box to this Internet duty. But no HP patch will deliver HP 3000 users from this "bind." And so one part of HP's MPE/iX feature set goes dark, for want of HP patch engineering.
The good news is that BIND came to the HP 3000 through an outside effort. Mark Bixby, the former HP engineer who's now working at QSS, created BIND/iX from open source repositories. HP adopted his work to place in MPE/iX 6.0, to start. Whatever HP has done to secure BIND on HP-UX might be accomplished for BIND/iX by a third party.
Bixby, in fact, counselled the community to get educated about open source tools like BIND when he was still working at HP. Someday HP would stop patching open source portions of MPE/iX. Then it would be up to the community to carry the open source tools forward, just as he did while working as a volunteer to craft BIND/iX. He need the software for his work as a system manager for a California college. The community got a donation of his work.
That same kind of volunteerism is still a possibility for the 3000 community. It might have to begin, however, on an open source module that's more business-critical than BIND.