hat tip to .gov hostmasters

Michael Thomas mike at mtcc.com
Mon Sep 22 10:42:58 CDT 2008

Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <owenc at hubris.net> wrote:
>> Chicken, meet egg.
>> I think the point of the original post is that one end or the other has to
>> start things.  At least we have one US zone doing something on the server
>> end of things.
> Oh, agreed, absolutely.  And it's great to see.  However, neither the
> slashdot blurb, nor the NetworkWorld article mention that without a
> valid resolver, there is no guarantee of security.  Sure, they mention
> that vendors are rolling it out and that ISPs should be following
> suit, but no mention is made of the end-user's resolver at all...

I dunno, a few very strategically placed validating resolvers could subject
a huge amount of DNS traffic to a much higher bar were the senders so
inclined to sign their zones. But I tend to view these kinds of things much
more from an "epidemiology" point of view: you don't have to have 100%
eradication to control an epidemic. Same thing pretty much goes with 
based attacks, IMO: when the barrier is set sufficiently high in one area,
attackers don't spend their entire time trying to break that barrier, 
they find the
next lowest barrier and move on.


More information about the NANOG mailing list