On 24 Jul 2008, at 10:56, Joe Greco wrote:
MY move? Fine. You asked for it. Had I your clout, I would have used this opportunity to convince all these new agencies that the security of the Internet was at risk, and that getting past the "who holds the keys" for the root zone should be dealt with at a later date. Get the root signed and secured.
Even if that was done today, there would still be a risk of cache poisoning for months and years to come.
You're confusing the short-term and the long-term measures, here.
No, I'm not. I did say that the other fix could be implemented regardless. However, since it is at best only a band-aid, it should be treated and understood as such, rather than misinforming people into thinking that their nameservers are "not vulnerable" once they've applied it. So I'm not the confused party. There are certainly a lot of confused parties out there who believe they have servers that are not vulnerable.
Get the GTLD's signed and secured.
I encourage you to read some of the paper trail involved with getting ORG signed, something that the current roadmap still doesn't accommodate for the general population of child zones until 2010. It might be illuminating.
You know, I've been watching this DNSSEC thing for *years*. I don't need to read any more paper trail. There was no truly good excuse for this not to have been done years ago.
Even once everything is signed and working well to the zones that registries are publishing, we need to wait for registrars to offer DNSSEC key management to their customers.
Even once registrars are equipped, we need people who actually host customer zones to sign them, and to acquire operational competence required to do so well.
And even after all this is done, we need a noticeable proportion of the world's caching resolvers to turn on validation, and to keep validation turned on even though the helpdesk phone is ringing off the hook because the people who host the zones your customers are trying to use haven't quite got the hang of DNSSEC yet, and their signatures have all expired.
Compared with the problem of global DNSSEC deployment, getting everybody in the world to patch their resolvers looks easy.
Of course. That's why I said that deploying this patch was something that could be done *too*. The point, however, was contained in my earlier message. You can only cry "wolf" so many times before a lot of people stop listening. Various evidence over the years leads me to believe that this is any number greater than one time. The point is that I believe the thing to do would have been to use this as a giant push for "DNSSEC Now! No More Excuses!" As it stands, there will likely be another exploit discovered in a year, or five years, or whatever, which is intimately related to this attack, and which DNSSEC would have solved. I don't particularly care to hear excuses about why DNSSEC is {a failure, impractical, can't be deployed, hasn't been deployed, won't be deployed, isn't a solution, isn't useful, etc} because I've probably heard them all before. We should either embrace DNSSEC, or we should simply admit that this is one of the many problems we just don't really care to fix for real. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.