[163905] in North American Network Operators' Group
Fwd: Re: This is a coordinated hacking. (Was Re: Need help in
daemon@ATHENA.MIT.EDU (Timothy Morizot)
Thu Jun 20 19:41:58 2013
In-Reply-To: <CAFy81rnxVD+z26FTw714Bj_95TM+97X4kV6vmikBr80mM1gkEg@mail.gmail.com>
Date: Thu, 20 Jun 2013 18:41:47 -0500
From: Timothy Morizot <tmorizot@gmail.com>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 20, 2013 5:31 PM, "Randy Bush" <randy@psg.com> wrote:
> and dnssec did not save us. is there anything which could have?
Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
seen reported, had the zones been signed, validating recursive resolvers
(comcast, google, much of federal government, mine) would have returned
servfail and would not have cached the bad nameservers in their good cache.
Users would have simply failed to connect instead of being sent to the
wrong page and recovery would have been quicker and easier. From my
perspective as someone responsible for DNS at a fairly large enterprise,
that would have been preferable.
But then, the zones for which I'm responsible are signed.
YMMV,
Scott
