[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Sean Donelan sean at donelan.com
Thu Jul 10 21:24:37 UTC 2008


On Thu, 10 Jul 2008, Paul Vixie wrote:
> you say toe-mae-toe, i say toe-mah-toe.  there is excellent cause for fear,
> and no reason to expect that udp port randomization is going to last forever
> in the face of new threats, both some i've considered or heard of, and others
> we can only dream of.  DNS is too attractive a target, too much fruit hanging
> too low for too long, to imagine that we'll be crypto-free for our lifetimes.

Fear too frightening it must be kept secret for 30 days.

S/MIME - implement now or email will die
S-BGP - implement now or BGP will die
DNSSEC - implement now or DNS will die

How many times have people made similar claims?

> so, no puffery.  the only full solution to this class of problem is DNSSEC,
> and the people who have no business case for deploying it, have to grow some.

So far the business case is "trust paul vixie, he says its scary and the 
only answer is DNSSEC."

If you want to play the "its too secret game," Ok.  But recognize that is 
what you are doing.




More information about the dns-operations mailing list