[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Otmar Lendl ol at bofh.priv.at
Thu Jul 10 07:35:34 UTC 2008

On 2008/07/10 03:07, "Patrick W. Gilmore" <patrick at ianai.net> wrote:
> The last time we had something like this was the BGP/MD5 fiasco.  We  
> were told to trust the messengers, it was horrifically bad, the  
> Internet was about to die.

This touches on a basic principle of disaster containment:

  Predicted disasters rarely happen.

Take Y2K. Take the BGP/MD5 thing. Hopefully this DNS issue, too.

My pet theory is that massive panic and PR activity cause people to
look at the issue, fix most of the bugs/problems which can cause the
disaster or prepare to deal with the effects if they are hit.

The result is that these pre-announced disasters don't materialize in
the predicted, massive scope.

On the other hand, if there hadn't been the public panic, preparations
would not have been as extensive and thus the disaster might indeed have

So, the best possible case for this week's "the world is doomed" scare
is that the fear-mongering will indeed work to trigger the necessary
updates. Hopefully, people will tell each other in a year "gee, that was
an unnecessary panic last year, nothing happened when they released the
details of the attack".

I wish the same were true for the IPv4 address exhaustation.

-=-  Otmar Lendl  --  ol at bofh.priv.at  -=-

More information about the dns-operations mailing list