Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

> MY move? Fine. You asked for it. Had I your clout, I would have
> used
> this opportunity to convince all these new agencies that the
> security of
> the Internet was at risk, and that getting past the "who holds the
> keys"
> for the root zone should be dealt with at a later date. Get the root
> signed and secured.

Even if that was done today, there would still be a risk of cache
poisoning for months and years to come.

You're confusing the short-term and the long-term measures, here.

No, I'm not. I did say that the other fix could be implemented regardless.
However, since it is at best only a band-aid, it should be treated and
understood as such, rather than misinforming people into thinking that
their nameservers are "not vulnerable" once they've applied it.

So I'm not the confused party. There are certainly a lot of confused
parties out there who believe they have servers that are not vulnerable.

> Get the GTLD's signed and secured.

I encourage you to read some of the paper trail involved with getting
ORG signed, something that the current roadmap still doesn't
accommodate for the general population of child zones until 2010. It
might be illuminating.

You know, I've been watching this DNSSEC thing for *years*. I don't need
to read any more paper trail. There was no truly good excuse for this not
to have been done years ago.

Even once everything is signed and working well to the zones that
registries are publishing, we need to wait for registrars to offer
DNSSEC key management to their customers.

Even once registrars are equipped, we need people who actually host
customer zones to sign them, and to acquire operational competence
required to do so well.

And even after all this is done, we need a noticeable proportion of
the world's caching resolvers to turn on validation, and to keep
validation turned on even though the helpdesk phone is ringing off the
hook because the people who host the zones your customers are trying
to use haven't quite got the hang of DNSSEC yet, and their signatures
have all expired.

Compared with the problem of global DNSSEC deployment, getting
everybody in the world to patch their resolvers looks easy.

Of course. That's why I said that deploying this patch was something that
could be done *too*.

The point, however, was contained in my earlier message.

You can only cry "wolf" so many times before a lot of people stop
listening. Various evidence over the years leads me to believe that
this is any number greater than one time.

The point is that I believe the thing to do would have been to use this
as a giant push for "DNSSEC Now! No More Excuses!"

As it stands, there will likely be another exploit discovered in a year,
or five years, or whatever, which is intimately related to this attack,
and which DNSSEC would have solved.

I don't particularly care to hear excuses about why DNSSEC is {a failure,
impractical, can't be deployed, hasn't been deployed, won't be deployed,
isn't a solution, isn't useful, etc} because I've probably heard them all
before. We should either embrace DNSSEC, or we should simply admit that
this is one of the many problems we just don't really care to fix for real.

... JG

OK, good. Sorry if I misinterpreted your earlier message.