Jason Frisvold wrote:
On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <owenc@hubris.net> wrote:
Chicken, meet egg.
I think the point of the original post is that one end or the other has to start things. At least we have one US zone doing something on the server end of things.
Oh, agreed, absolutely. And it's great to see. However, neither the slashdot blurb, nor the NetworkWorld article mention that without a valid resolver, there is no guarantee of security. Sure, they mention that vendors are rolling it out and that ISPs should be following suit, but no mention is made of the end-user's resolver at all...
I dunno, a few very strategically placed validating resolvers could subject a huge amount of DNS traffic to a much higher bar were the senders so inclined to sign their zones. But I tend to view these kinds of things much more from an "epidemiology" point of view: you don't have to have 100% eradication to control an epidemic. Same thing pretty much goes with internet based attacks, IMO: when the barrier is set sufficiently high in one area, attackers don't spend their entire time trying to break that barrier, they find the next lowest barrier and move on. Mike