Looking back on ISC's 2024 accomplishments

ISC’s Organizational Health and Operations

Financially and organizationally ISC is in good health, with no major concerns. Revenues in 2024 were strong, nearly $7.7M, which was enough to cover development expenses for our BIND and Kea programs, as well as to fund our overhead, F-Root operations, and Stork development, which didn’t generate any revenue. 

ISC ended 2025 with 45 staff members, over half of whom are software engineers. The BIND team consists of 16 engineers, with six of these focused on QA and release operations. The combined DHCP/KEA and Stork team has 10 software engineers, including three focused on QA and release operations. Three engineers manage the F-Root operations, and some of our internal computing infrastructure. We have seven support engineers, who take turns providing on-call coverage nights and weekends. This leaves five people in our sales and marketing departments and four in general and administrative (G&A).

ISC currently has only a single layer of management, which limits our ability to grow further, because we don’t want to add another layer. We are content with our current size, because we feel we have an effective and efficient structure and a pleasant work environment. Everyone at ISC works remotely, and we meet in person twice a year for dedicated working meetings, as well as occasionally at technical conferences.

ISC Core Programs

BIND 9

In 2024 we hired three new BIND engineers, bringing the team to a total of nine developers, five QA staff and two managers (Director of DNS Engineering and BIND 9 QA Manager). 

We normally release two stable and one development version of BIND each month. We postponed the January 2024 BIND releases and skipped June and November, but still issued a total of 25 open source releases, as well as 12 Supported Preview (-S) versions - plus package versions of all of them.

We released BIND 9.20, a new stable version that completed the transition to new libuv-based event loops, begun with BIND 9.16 and continued in 9.18. We had received reports that some long-duration tasks, like updating statistics, handling transfers, and similar system work, seemed to be blocking query resolution in very busy systems, so we added specialized thread pools to offload long-duration tasks. This was our first stable version with a new database infrastructure, qp-trie, replacing a red-black tree for functions requiring a database, including the zone database, server database, and resolver cache. The transition to libuv and qp-trie were major refactoring projects, involving multiple developers for many months, and requiring extensive testing to discover any performance impacts. The result is a system that scales better on modern platforms.

The DNSSEC signing system has received a major update, and now uses the DNSSEC Key and Signing Policy (KASP) system for managing signed zones. The BIND team added more extended error codes and zone transfer statistics, updated our catalog zones implementation, and implemented the ProxyV2 protocol. ISC staff helped to incubate the Deleg proposal, which is now a new IETF working group, working on a standard for providing more information about the authoritative servers for a zone.

We evaluated, mitigated, and published eleven BIND CVEs, several of which were DNS-wide multi-vendor issues at the protocol level, requiring extensive coordination with other parties. These vulnerabilities take longer to fix and publish, because of the overhead of coordinating with other teams. Historically, most of our CVEs have been assertion failures, but lately there has been a lot of research into overloading different elements of the DNS, resulting in a number of CVEs that can exhaust resources. Some of the mitigations will necessarily require placing limits on the size or number of records BIND will process, which may end up requiring configuration changes for some users. 

• CVE-2023-4408: Parsing large DNS messages may cause excessive CPU load
• CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
• CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
• CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled
• CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
• CVE-2023-5680: Cleaning an ECS-enabled cache may cause excessive CPU load
• CVE-2023-6516: Specific recursive query patterns may lead to an out-of-memory condition
• CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable
• CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name
• CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
• CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content

As an open source project, anyone can open an issue in our repository, and many people do. The BIND team has a generous backlog of (as of this minute) 613 open issues. They typically close between 25 and 50 per monthly release, so there are plenty to choose from. Of the open issues, 96 are labeled as bugs, 132 are feature requests, 22 are labeled documentation issues, and 70 are to-do items related to tests.

Our bind-users mailing list has continued to be busy and to provide helpful advice. We currently have 2408 subscribers to bind-users. We encourage all users to subscribe to the very low-traffic bind-announce mailing list, where we announce new releases and feature deprecation. Current subscribers to bind-announce: 3459.

Kea DHCP

We plan to post a separate blog going into more details on the many accomplishments in the Kea project in 2024, but here are a few highlights:

• We published 12 Kea releases, including a new stable version, Kea 2.6.

• We created the Kea migration page on our website, put up a live Kea migration utility, and released a packaged version of the KeaMA utility.

• We have seen Kea adoption and deployment expanding into a wider range of enterprise environments; our early adopters tended to be access providers (ISPs). Questions about ISC DHCP migration continue, and probably will for several more years.

The Kea project is very busy and also has a healthy number of open issues, 690 at this writing. The monthly development releases typically resolve 20-35 issues. Of the open issues, 44 are labeled as bugs and 137 are enhancements or feature requests. The kea-users mailing list is growing, and has provided a lot of users with configuration help this past year. At this writing the list has 558 members.

Stork

Stork came a long way in 2024, breaking out from a read-only monitoring system to provide comprehensive configuration control for Kea. We released eight versions, including Stork 2.0, issued in November. With that release, we began offering professional support for Stork, and included it under our ISC Software Support and Security Vulnerability Disclosure policy documents. 

We launched a live demo site for Stork (demo.stork.isc.org) to let prospective users try it out with minimal effort. Our marketing team is thrilled to finally have a product with interesting screen shots!

We have ramped up our efforts to track potential vulnerabilities in the Stork dependencies, because the web ecosystem tends to have relatively frequent issues. We even published our first Stork CVE:

CVE-2024-28872: Incorrect TLS certificate validation can lead to escalated privileges

F-Root

ISC added new F-Root sites in Belgrade (Serbia), Pavlodar (Kazakhstan), Lviv (Ukraine), and San Pedro Sula (Honduras), and replaced the equipment in Warsaw (Poland), with thanks to our site sponsors.

ISC’s Support Customer Base

We have literally no idea how many users there are of our software, but we have frequent, excellent communications with our support customers. ISC’s technical support contracts fund all the rest of our operations, including the development and maintenance of our open source. 2024 was a good year for our technical support service.

We hired two new support engineers, which required interviewing dozens of candidates. These additions brought our support team up to a total of seven engineers, including the Director of Technical Support (who is also a capable engineer, of course).

In July, we migrated all our support customers and their open tickets from a large commercial support system back to our old open source ticketing system, Best Practical’s Request Tracker. It turned out that our support customers preferred the email and text interface of the older system to the vastly fancier, and more complicated, commercial system.

We implemented a new process for publishing Advance Security Notifications to our customers, using our ticketing system. We heard that some of our support customers don’t follow our announcement mailing lists, so we added announcement channels in our ticketing system.

2024 saw a significant increase in requests for assistance in migrating from ISC DHCP to Kea, both on the mailing lists and among our support customers. 

Support Customers

As of the end of 2024, we have 187 total customers with Basic, Enterprise, or OEM support agreements that extend into 2025. 88 of these customers have BIND support contracts, and 95 have Kea and/or ISC DHCP contracts. 144 of our customers were returning from prior years, while 43 were new to us. This is a net gain of 34 more support customers than we had at the start of 2024, so we more than replaced the few customers who did not renew. 

We have a total of 211 ongoing support contracts, because many customers have support from us for multiple products.  

Support Customers by Region: 

• North America - 101
• Europe - 57
• Asia-Pacific - 19
• South America - 5
• Other - 5 (includes Middle East, Africa, and India)

In addition, we entered 2025 with 43 subscribers for Kea Premium whose subscriptions extend beyond 2024. These customers are self-supporting, with the help of the public kea-users mailing list. 

ISC’s Knowledgebase

We published or updated 69 articles, including 12 new CVE advisories. New articles cover such topics as: a Stork quickstart guide, Stork LDAP authentication, private networks and split DNS, RRset limits in zones, redefining standard options, exempting broken domains in recursion, altering the subnet mask option based on giaddr, the Umbrella feature in detail, and a brief introduction to LDAP.

Our top 10 most-read articles in 2024 were:

1. BIND 9 Security Vulnerability Matrix
2. ISC DHCP 4.1 Manual Pages - dhcpd.conf
3. BIND Logging - some basic recommendations
4. ISC DHCP 4.4 Manual Pages - dhcp-options
5. ISC Packages for BIND 9
6. CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
7. CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
8. ISC DHCP 4.4 Manual Pages - dhcpd.conf
9. Understanding views in BIND 9, with examples
10. Using Official ISC Packages for Kea

Several years ago we put the ISC DHCP man pages into documents in the KB, and ever since they have been astonishingly popular. There are fewer articles on Kea in our Knowledgebase, and fewer views, in part because the Kea ARM is quite comprehensive and provides more detailed configuration advice than the BIND ARM. BIND is the most frequently read category, with nearly 168,000 views of those articles.

The top searches in the KB were for “windows”, “logging”, “cve-2023-50387”, “failover”, “ipv6”, “dnssec”, “rndc”, “next-server”, “ddns”, “CVE-2023-50868”, and “Docker”. We ended support for BIND on Windows several years ago, but people continue to look for it.

ISC Contributions to External Open Source Projects and Community Programs

ISC encourages staff to participate in the Internet infrastructure technical community, and several currently have significant roles outside of ISC.

DNS-OARC

• ISC is an organization member of OARC.
• Ray Bellis is a member of the Board of Directors of DNS-OARC.
• Cathy Almond is the Chair of the Program Committee of DNS-OARC.

NANOG

T. Marc Jones is a member of the NANOG Community Engagement Committee.

ICANN

• Jeff Osborn is Chair of the Root Server System Advisory Committee (RSSAC).
• Rob Carolina is ISC’s Alternative Representative on RSSAC.
• Ondřej Surý is a Trusted Community Representative and Recovery Key Share Holder for the DNS Root Zone.

IETF

• Petr Špaček is ICANN Liaison for IETF, and a member of the expert reviewer team for the DNS Directorate.
• While ISC staff participated in reviews and discussions of numerous IETF documents, only one document authored by an ISC staff person reached RFC status in 2024: DHCPv6 Options for the Homenet Naming Authority, co-authored by Tomek Mrugalski.

Open Source Contributions to Non-ISC Projects

Our staff are welcome and encouraged to contribute to external projects. These are some of our code contributions.

Michał Kępień

• https://github.com/libgit2/pygit2/pull/1282
• https://github.com/openwrt/openwrt/pull/13453
• https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111613
• https://github.com/libgit2/libgit2/pull/6973

Michal Nowak

• https://github.com/libuv/libuv/issues/4584
• https://github.com/rthalley/dnspython/issues/1055
• https://github.com/rthalley/dnspython/issues/1034

Sławek Figiel

• https://github.com/shirou/gopsutil - Fix a bug occurring on BSD-like systems
• https://github.com/goreleaser/nfpm - Enable environment variable substitution for a configuration option

Tomek Mrugalski implemented DNR option sending in Wireshark; his patch was submitted upstream.

Ondřej Surý led the effort to update the PHP packages in next Debian stable (trixie) to PHP 8.4, and runs the highly successful https://deb.sury.org project that provides multiple PHP version packages for Debian and Ubuntu.

ISC sponsored work in the libuv project, to add the uv_udp_try_send2() function.

Other Community Engagement

ISC published 18 blogs in 2024.

ISC staff delivered at least eight presentations at community events. ISC abandoned Twitter/X a long time ago: in 2024 we added a Bluesky account to our social media presence.

ISC did not give any webinars in 2024. Our usual presenter was unavailable, and the viewership for these events had declined over the years, giving us the impression that these were no longer worth the effort. 

ISC sponsored an information table at all three 2024 NANOGs, sponsored a scholarship program for All Things Open for local user groups, and contributed to the 2024 BSDCan.