> > i am sick and bloody tired of hearing from the people who aren't impressed.
>
> Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
> groundbreaking, except that threats discussed long ago have become more
> practical due to the growth of network and processing speeds, which was
> a hazard that ... was actually ALSO predicted.
11 seconds.
and at&t refuses to patch.
and all iphones use those name servers.
your move.
MY move? Fine. You asked for it. Had I your clout, I would have used
this opportunity to convince all these new agencies that the security of
the Internet was at risk, and that getting past the "who holds the keys"
for the root zone should be dealt with at a later date. Get the root
signed and secured. Get the GTLD's signed and secured. Give people the
tools and techniques to sign and secure their zones. Focus on banks,
ISP's, and other critical infrastructure. You don't have to do all that
yourself, since we have all these wonderful new agencies charged with
various aspects of keeping our nation secure, including from electronic
threats, and certainly there is some real danger here.
This in no way prevents you from simultaneously releasing patches to do
query source port randomization, of course, and certainly I think that a
belt and suspenders solution is perfectly fine, but right now, I'm only
seeing the belt...
But realizing that going from 11 seconds to (11 * 64512 =) 8.21 days is
not a significant jump from the PoV of an attacker would certainly have
factored into my decision-making process.
But we didn't do my move. We did yours. So back to the real world.
You're still vulnerable.
Your move.
... JG
MY move? Fine. You asked for it. Had I your clout, I would have used
this opportunity to convince all these new agencies that the security of
the Internet was at risk, and that getting past the "who holds the keys"
for the root zone should be dealt with at a later date. Get the root
signed and secured.
Even if that was done today, there would still be a risk of cache poisoning for months and years to come.
You're confusing the short-term and the long-term measures, here.
Get the GTLD's signed and secured.
I encourage you to read some of the paper trail involved with getting ORG signed, something that the current roadmap still doesn't accommodate for the general population of child zones until 2010. It might be illuminating.
Even once everything is signed and working well to the zones that registries are publishing, we need to wait for registrars to offer DNSSEC key management to their customers.
Even once registrars are equipped, we need people who actually host customer zones to sign them, and to acquire operational competence required to do so well.
And even after all this is done, we need a noticeable proportion of the world's caching resolvers to turn on validation, and to keep validation turned on even though the helpdesk phone is ringing off the hook because the people who host the zones your customers are trying to use haven't quite got the hang of DNSSEC yet, and their signatures have all expired.
Compared with the problem of global DNSSEC deployment, getting everybody in the world to patch their resolvers looks easy.
Joe
I admit readily that I am not one of the 'dns guys' around here, but
I have been watching with some interest for a few years now, and have
more or less become convinced that the players involved are willing to
tolerate, downplay, or even flat out ignore a great deal.
Except losing their own relevance. This is cherished above all. The
only times I have seen these parties move is when it has been
realistically threatened.
So in brandishing this world event as like a holy sword of fire to
smite some nefarious beaurocracy, there is no danger its strike will
drain any relevance. The band aid fix is there. Their relevance is
saved along with all of our businesses. There is still plenty of time
to argue about who gets the keys. Who gets nearly the entire pot of
this magical relevance ambrosia?
It wouldn't work. Paul's booming voice would serve only to make him
hoarse.
The strike only lands for effect if you withold the band aid fix,
which simply can not be done in this case either.
I'm only really aware of two ways to reduce the relevance of the root
and its children (I did say I am not a DNS guy). You can join one of
the alternate roots, which I do not recommend. Or you can sign your
zones using a DLV registry.
If DLV registries became 'de rigeur', it would effectively halve the
root and by extension the GTLDs' relevance. I do not believe they
will permit this to come to pass. Provided they did, we would win
anyway, as signing zones itself would have become the norm.