[106341] in North American Network Operators' Group
Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
daemon@ATHENA.MIT.EDU (Martin Hannigan)
Sat Jul 26 21:16:57 2008
Date: Sat, 26 Jul 2008 21:16:46 -0400
From: "Martin Hannigan" <hannigan@gmail.com>
To: "Sean Donelan" <sean@donelan.com>, bmanning@vacation.karoshi.com,
nanog@merit.edu
In-Reply-To: <200807261740470.32BF5B92.5810@clifden.donelan.com>
Errors-To: nanog-bounces@nanog.org
How about blacklists for;
Outdated and insecure IOS
Outdated and insecure SSH
Outdated and insecure Unix implementations
Spam appliancesOutdated OS images everywhere
Outdated and insecure dns
Outdated and insecure proxies
Outdated and insecure mysql, php, etc
Richard Stallman for rms/rms
One worthy example of leadership related to this current issue is RCN.
They apparently scanned their customer networks for this vuln and
called the vulnerable customer advising them of the problem and
politely requesting a fix.
Reinforces why full disclosure is better as well. Who got the early
warnings? Better yet, who didn't?
Best,
Marty
On 7/26/08, Sean Donelan <sean@donelan.com> wrote:
> On Sat, 26 Jul 2008, bmanning@vacation.karoshi.com wrote:
>> there you go. the massive effort to patch would likley have
>> better been spent to actually -sign- the stupid zones and
>> work out key distribution. but no... running around like
>> the proverbial headless chicken seems to get the PR.
>
> Maybe someone could publish a blacklist of vulnerable recursive
> name servers, and then F-Root, the other root name servers,
> and other "popular" sites could start refusing to answer queries
> from vunerable name servers until after the blacklist operator decides
> they've patched their recursive server sufficiently?
>
> Maybe that would get their attention and encourage them to apply
> resources to the problem?
>
> Extreme situations justify extreme measures; or how extreme do
> you believe justifies what measures?
>
>
--
Sent from Gmail for mobile | mobile.google.com
