Sure, smart guy. And there are also issues with IP packets which are passed across untrusted nodes in the Internet. What exactly is your point?
Why are you asking me questions after having placed me in your killfile? To answer your question briefly: there are fixes for both the poisoned-RR problem (extensive validity checking and non-caching cut-through responses), as explained by Johannes Erdfelt, and there are fixes for the guessable-ID problem (randomized query IDs backed up by server-survival assurances using "cookie" queries, along with a attack detection mechanism that reduces the entire problem to a denial-of-service attack). Neither of these involve DNSSEC. You are being told that the Internet is essentially broken until DNSSEC is implemented. Some people feel this is not the case. I am one of them. You have my apologies if my means of expressing this seem unacceptable to you. Thanks for taking the time to write! ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"