Fwd: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

Timothy Morizot tmorizot at gmail.com
Thu Jun 20 23:41:47 UTC 2013


On Jun 20, 2013 5:31 PM, "Randy Bush" <randy at psg.com> wrote:
> and dnssec did not save us.  is there anything which could have?

Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
seen reported, had the zones been signed, validating recursive resolvers
(comcast, google, much of federal government, mine) would have returned
servfail and would not have cached the bad nameservers in their good cache.

Users would have simply failed to connect instead of being sent to the
wrong page and recovery would have been quicker and easier. From my
perspective as someone responsible for DNS at a fairly large enterprise,
that would have been preferable.

But then, the zones for which I'm responsible are signed.

YMMV,

Scott



More information about the NANOG mailing list