[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Paul Vixie vixie at isc.org
Thu Jul 10 17:38:24 UTC 2008

> Is ISC engaging in a bit of P.R. puffery talking about "the only full
> solution" to scare people to use DNSSEC.  ISC's previous vulnerability
> disclosures don't hype DNSSEC.

you say toe-mae-toe, i say toe-mah-toe.  there is excellent cause for fear,
and no reason to expect that udp port randomization is going to last forever
in the face of new threats, both some i've considered or heard of, and others
we can only dream of.  DNS is too attractive a target, too much fruit hanging
too low for too long, to imagine that we'll be crypto-free for our lifetimes.

the reason i've pissed a dozen or more years of my career down the DNSSEC
hole is that i've always known that DNS's (and UDP's and IP's) inherent
insecurities would catch up with us eventually.  we're not out of runway,
today, but we will be out of runway by the time we get DNSSEC deployed, if
we start in earnest Right Now (better tools, securing root + TLD's, etc.)

so, no puffery.  the only full solution to this class of problem is DNSSEC,
and the people who have no business case for deploying it, have to grow some.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list