Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Paul Vixie vixie at
Thu Jul 24 23:10:46 UTC 2008

> So is this patch a "true" fix or just a temporary fix until further
> work can be done on the problem?

the only true fix is DNSSEC.  meanwhile we'll do UDP port randomization,
plus we'll randomize the 0x20 bits in QNAMEs, plus we'll all do what
nominum does and retry with TCP if there's a QID mismatch while waiting for
a response, and we'll start thinking about using TKEY and TSIG for
stub-to-RDNS relationships.

but the only true long term fix for this is DNSSEC.  all else is bandaids,
which is a shame, since it's a sucking chest wound and bandaids are silly.

> But it that truly an end-all fix, or is this just the initial cry to stop
> short-term hijacking?

all we're trying to do is keep the 'net running long enough to develop
and deploy DNSSEC, which would be much harder if
almost never points to a microsoft-owned computer.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the NANOG mailing list