[108001] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (Michael Thomas)
Mon Sep 22 11:43:34 2008
Date: Mon, 22 Sep 2008 08:42:58 -0700
From: Michael Thomas <mike@mtcc.com>
To: Jason Frisvold <xenophage0@gmail.com>
In-Reply-To: <924f29280809220816h31c8b313o5aa4eae2482fa768@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <owenc@hubris.net> wrote:
>
>> Chicken, meet egg.
>>
>> I think the point of the original post is that one end or the other has to
>> start things. At least we have one US zone doing something on the server
>> end of things.
>>
>
> Oh, agreed, absolutely. And it's great to see. However, neither the
> slashdot blurb, nor the NetworkWorld article mention that without a
> valid resolver, there is no guarantee of security. Sure, they mention
> that vendors are rolling it out and that ISPs should be following
> suit, but no mention is made of the end-user's resolver at all...
>
I dunno, a few very strategically placed validating resolvers could subject
a huge amount of DNS traffic to a much higher bar were the senders so
inclined to sign their zones. But I tend to view these kinds of things much
more from an "epidemiology" point of view: you don't have to have 100%
eradication to control an epidemic. Same thing pretty much goes with
internet
based attacks, IMO: when the barrier is set sufficiently high in one area,
attackers don't spend their entire time trying to break that barrier,
they find the
next lowest barrier and move on.
Mike
