[106249] in North American Network Operators' Group
Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Thu Jul 24 16:58:57 2008
Date: Thu, 24 Jul 2008 16:58:29 -0400
From: "Jason Frisvold" <xenophage0@gmail.com>
To: "Paul Vixie" <vixie@isc.org>
In-Reply-To: <46280.1216919645@nsa.vix.com>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Thu, Jul 24, 2008 at 1:14 PM, Paul Vixie <vixie@isc.org> wrote:
> in spite of that caution i am telling you all, patch, and patch now. if you
> have firewall or NAT configs that prevent it, then redo your topology -- NOW.
> and make sure your NAT isn't derandomizing your port numbers on the way out.
>
> and if you have time after that, write a letter to your congressman about the
> importance of DNSSEC, which sucks green weenies, and is a decade late, and
> which has no business model, but which the internet absolutely dearly needs.
So is this patch a "true" fix or just a temporary fix until further
work can be done on the problem? I listened to Dan's initial
presentation and I've read a lot of speculation since then. I've also
taken a look at the various blog entries that detail the problem. I
believe I understand what the issue is and I can see how additional
randomization helps. But it that truly an end-all fix, or is this
just the initial cry to stop short-term hijacking?
--
Jason 'XenoPhage' Frisvold
XenoPhage0@gmail.com
http://blog.godshell.com
