[dns-operations] DNS issue accidentally leaked?

David Conrad drc at virtualized.org
Tue Jul 22 19:58:33 UTC 2008


On Jul 22, 2008, at 11:10 AM, Paul Vixie wrote:
> i am stunned, absolutely stunned,

I'm not (having experienced the joys of the 'security community' in  
action in the past).

> is this how the
> community rewards dan for trying to buy us all some time to protect  
> the
> infrastructure?

A lesson I learned long ago: there are portions of the 'security  
community' that don't care about the infrastructure or the impact  
their 'full disclosure' might have on the infrastructure.  What they  
care about is publicity, selling their services, and notoriety within  
their echo chamber.  The challenge is figuring out who are the good  
guys and who are the bad guys.

However, all of this is beside the point.  The vulnerability is now,  
for all intents and purposes, published.  Dan and you and the various  
DNS vendors were able to buy some time, but the clock has run out. The  
question is how many unpatched servers are there still out there?   
Last I checked, Apple has not released a patched version of OS X to  
deal with this issue.  What other vendors who ship BIND have failed  
like Apple?  Has anyone considered doing a survey of the open  
resolvers out their to determine the percentage that remain vulnerable  
and tracking that percentage over time?


More information about the dns-operations mailing list