On Thu, 24 Jul 2008, Paul Ferguson wrote:
Let's hope some very large service providers get their act together real soon now.
There is always a tension between discovery, changing, testing and finally deployment.
Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now.
Not sure I can be very empathic now, given the seriousness, and the proper warning ISPs have been given.
Also recognize some of the simple testing tools get a bit confused by some of the more complex DNS configurations used by the mega-ISP DNS clusters; and generate false positives (and maybe even false negative) results. You can see it happens when the testing tool reports widely different number of queries checked. Several of the ISPs with complex DNS clusters are patching and upgrading them; however the current state of some of the patches wouldn't support the query load those providers normally experience. So they've been working on alternative mitigation strategies. However, its difficult to now if the alternative strategies actually mitigate the actual threat without knowing the actual threat. And finally, there probably are some providers who haven't made plans to change their DNS. Unfortunately, the testing tools can't read minds (yet), so its difficult to know which ISPs are in this category.