* Leo Bicknell:
In a message written on Tue, Aug 04, 2009 at 11:32:46AM -0700, Kevin Oberman wrote:
There is NO fix. There never will be as the problem is architectural to the most fundamental operation of DNS. Other than replacing DNS (not feasible), the only way to prevent this form of attack is DNSSEC. The "fix" only makes it much harder to exploit.
I don't understand why replacing DNS is "not feasible".
Replacing the namespace is not feasible because any newcomer will lack the liability shield ICANN, root operators, TLD registries, and registrars have established for the Internet DNS root, so it will never get beyond the stage of hashing out the legal issues. We might have an alternative one day, but it's going to happen by accident, through generalization of an internal naming service employed by a widely-used application. There are several successful application-specific naming services which are independent of DNS, but all the attempts at replacing DNS as a general-purpose naming service have failed. The transport protocol is a separate issue. It is feasible to change it, but the IETF has a special working group which is currently tasked to prevent any such changes. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99