[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

[David Conrad]

Florian,

On Aug 11, 2008, at 2:11 AM, Florian Weimer wrote:
>> False positive - perhaps if your only threat model for DNS is Dan
>> Kaminsky powered script kiddie might make them look daft.
>
> Maybe.  But if it's a real problem, why doesn't ICANN make sure that
> at least the gTLDs under its influence are protected before going
> public?

The recursive.iana.org site is provided by IANA.  In this context,  
IANA does not make a significant distinction between gTLDs and other  
TLDs.

As for ICANN forcing the gTLDs to do something, I suspect that would  
require public consultations, process development processes, lawyers  
and contractual modifications and stuff.  I'm guessing this would take  
a bit longer than the amount of time since the vulnerability was found  
until it was disclosed.

> On the other hand, if it's not that important, it's rather
> questionable to associate it with the other DNS issues we're dealing
> with right now.

So, you'd prefer IANA not do anything? A valid point of view I  
suppose, however I'd note that a good number of TLDs fixed their  
servers since IANA took the advisory steps it did.

Regards,
-drc