>> Compared with the problem of global DNSSEC deployment, getting
>> everybody in the world to patch their resolvers looks easy.
>
> Of course. That's why I said that deploying this patch was
> something that
> could be done *too*.
OK, good.
Yeah, I'm not arguing against mitigating the immediate problem, but rather:
Sorry if I misinterpreted your earlier message.
The problem is that we have this reactionary mindset to threats that have
been known for a long time, and we're perfectly happy to issue one-off
band-aid fixes, often while not fixing the underlying problem.
DNSSEC was designed to deal with just this sort of thing. In almost TWO
DECADES since Bellovin's paper, which was arguably the motivation behind
DNSSEC, we've ... still got an unsigned root, unsigned GTLD's, unsigned
zones, and we've successfully managed to get Gates to train users to click
on "OK" for any message where they don't understand what it's trying to
say, so relying on security at other layers isn't particularly effective
either.
Collectively, those of us reading this list are responsible for creating
at least part of this mess, either through inaction or foot-dragging.
Welcome to the Internet that we've created.
... and we've successfully managed to get Gates to train users to click
on "OK" for any message where they don't understand what it's trying to
say, so relying on security at other layers isn't particularly effective
either.
He,he,nice comment. The issue is that with todays html crap and embedded
images on mails "click" is no longer required, just include a malicious tag
forcing your resolver to go to bad boy's NS to resolve the URL and you are
up in biz.
He,he,nice comment. The issue is that with todays html crap and embedded
images on mails "click" is no longer required, just include a malicious tag
forcing your resolver to go to bad boy's NS to resolve the URL and you are
up in biz.
Can't stop laughing ... its a rainy boring day in south TX, just thinking
that MSFT is probably working on a security patch for Vista that will ask
you every few seconds "Are you sure you want to resolve this domain name?"
....
Just a bit of humor before my resolver is poisoned ...
