Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Joe Greco jgreco at
Thu Jul 24 16:24:07 UTC 2008

> On 24 Jul 2008, at 11:40, Joe Greco wrote:
> >> Compared with the problem of global DNSSEC deployment, getting
> >> everybody in the world to patch their resolvers looks easy.
> >
> > Of course.  That's why I said that deploying this patch was  
> > something that
> > could be done *too*.
> OK, good. 

Yeah, I'm not arguing against mitigating the immediate problem, but rather:

> Sorry if I misinterpreted your earlier message.

The problem is that we have this reactionary mindset to threats that have
been known for a long time, and we're perfectly happy to issue one-off
band-aid fixes, often while not fixing the underlying problem.

DNSSEC was designed to deal with just this sort of thing.  In almost TWO
DECADES since Bellovin's paper, which was arguably the motivation behind
DNSSEC, we've ...  still got an unsigned root, unsigned GTLD's, unsigned
zones, and we've successfully managed to get Gates to train users to click
on "OK" for any message where they don't understand what it's trying to
say, so relying on security at other layers isn't particularly effective

Collectively, those of us reading this list are responsible for creating 
at least part of this mess, either through inaction or foot-dragging. 
Welcome to the Internet that we've created.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list