[dns-operations] DNS issue accidentally leaked?
David Conrad
drc at virtualized.org
Tue Jul 22 19:58:33 UTC 2008
Paul,
On Jul 22, 2008, at 11:10 AM, Paul Vixie wrote:
> i am stunned, absolutely stunned,
I'm not (having experienced the joys of the 'security community' in
action in the past).
> is this how the
> community rewards dan for trying to buy us all some time to protect
> the
> infrastructure?
A lesson I learned long ago: there are portions of the 'security
community' that don't care about the infrastructure or the impact
their 'full disclosure' might have on the infrastructure. What they
care about is publicity, selling their services, and notoriety within
their echo chamber. The challenge is figuring out who are the good
guys and who are the bad guys.
However, all of this is beside the point. The vulnerability is now,
for all intents and purposes, published. Dan and you and the various
DNS vendors were able to buy some time, but the clock has run out. The
question is how many unpatched servers are there still out there?
Last I checked, Apple has not released a patched version of OS X to
deal with this issue. What other vendors who ship BIND have failed
like Apple? Has anyone considered doing a survey of the open
resolvers out their to determine the percentage that remain vulnerable
and tracking that percentage over time?
Regards,
-drc
More information about the dns-operations
mailing list