Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Paul Vixie vixie at isc.org
Thu Jul 24 12:14:05 CDT 2008


> "Refuses to patch" sounds likes FUD.

go ask 'em, and let us all know what they say.

kaminsky tried to get everybody a month, but because of ptacek's sloppiness
it ended up being 13 days.  if any dns engineer at any internet carrier goes
home to sleep or see their families before they patch, then they're insane.

yes, i know the dangers of rolling patches out too quickly.  better than most
folks, since i've been on the sending side of patches that caused problems,
and i've learned caution from the pain i've inadvertantly caused in that way.

in spite of that caution i am telling you all, patch, and patch now.  if you
have firewall or NAT configs that prevent it, then redo your topology -- NOW.
and make sure your NAT isn't derandomizing your port numbers on the way out.

and if you have time after that, write a letter to your congressman about the
importance of DNSSEC, which sucks green weenies, and is a decade late, and
which has no business model, but which the internet absolutely dearly needs.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the NANOG mailing list