Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Joe Greco jgreco at ns.sol.net
Thu Jul 24 09:56:32 CDT 2008


> > > i am sick and bloody tired of hearing from the people who aren't impressed.
> > 
> > Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
> > groundbreaking, except that threats discussed long ago have become more
> > practical due to the growth of network and processing speeds, which was 
> > a hazard that ...  was actually ALSO predicted.
> 
> 11 seconds.
> 
> and at&t refuses to patch.
> 
> and all iphones use those name servers.
> 
> your move.

MY move?  Fine.  You asked for it.  Had I your clout, I would have used
this opportunity to convince all these new agencies that the security of
the Internet was at risk, and that getting past the "who holds the keys"
for the root zone should be dealt with at a later date.  Get the root
signed and secured.  Get the GTLD's signed and secured.  Give people the
tools and techniques to sign and secure their zones.  Focus on banks,
ISP's, and other critical infrastructure.  You don't have to do all that
yourself, since we have all these wonderful new agencies charged with
various aspects of keeping our nation secure, including from electronic
threats, and certainly there is some real danger here.

This in no way prevents you from simultaneously releasing patches to do 
query source port randomization, of course, and certainly I think that a
belt and suspenders solution is perfectly fine, but right now, I'm only
seeing the belt...

But realizing that going from 11 seconds to (11 * 64512 =) 8.21 days is 
not a significant jump from the PoV of an attacker would certainly have
factored into my decision-making process.

But we didn't do my move.  We did yours.  So back to the real world.

You're still vulnerable.

Your move.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list