[106252] in North American Network Operators' Group
Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Jul 24 19:42:08 2008
From: Paul Vixie <vixie@isc.org>
To: "Jason Frisvold" <xenophage0@gmail.com>
In-Reply-To: Your message of "Thu, 24 Jul 2008 16:58:29 -0400."
<924f29280807241358h62150dc4o17b605d8049b475c@mail.gmail.com>
Date: Thu, 24 Jul 2008 23:10:46 +0000
X-Vix-MailScanner-From: vixie@vix.com
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
> So is this patch a "true" fix or just a temporary fix until further
> work can be done on the problem?
the only true fix is DNSSEC. meanwhile we'll do UDP port randomization,
plus we'll randomize the 0x20 bits in QNAMEs, plus we'll all do what
nominum does and retry with TCP if there's a QID mismatch while waiting for
a response, and we'll start thinking about using TKEY and TSIG for
stub-to-RDNS relationships.
but the only true long term fix for this is DNSSEC. all else is bandaids,
which is a shame, since it's a sucking chest wound and bandaids are silly.
> But it that truly an end-all fix, or is this just the initial cry to stop
> short-term hijacking?
all we're trying to do is keep the 'net running long enough to develop
and deploy DNSSEC, which would be much harder if updates.microsoft.com
almost never points to a microsoft-owned computer.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
