Paul Vixie Responds To DNS Hole Skeptics

syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"

I'm not worried

[niceone]

I just remember the IP addresses and type them in myself. How hard is that?

Re:I'm not worried

[Klaus_1250]

Why is that hard? Still works with IP-addresses. The only thing you need to do is to supply the Host-field as per HTTP/1.1.

Re:I'm not worried

[cnettel]

I just remember the IP addresses and type them in myself. How hard is that?

That's all well and dandy until banner ads start flashing subliminal messages of unauthorized zone updates to you.

Re:I'm not worried

[Toutatis]

How can you know then that the flaw isn't in your mind too.

Re:I'm not worried

[morgauo]

Meh! Just put the domains in your hostfile.... All of them....

Re:I'm not worried

[Nullav]

Hey!
I am an unpatched DNS server, you insensitive clod!

Re:I'm not worried

[Lennie]

That's why 'smart' people use /etc/hosts. That solves the problem of remembering and of the HTTP-host-header.

Re:The back-biting is shameful

[wild_quinine]

If there's one thing that everyone should have learned by now, if someone says "trust me", you should be skeptical.

No, you're off message. They need to click continue, because the screen has gone all dark and they can't get back to their web browser.

Re:stability

[hostyle]

I heard that this "security fix" is the addition of support for the Evil Bit.

Re:Unfortunately, what else is new?

[danFL-NERaves]

Your mad ad hominem attack skills have convinced everyone that Paul Vixie is the know nothing douchebag in this conversation. Kudos!

Re:Unfortunately, what else is new?

[MadMidnightBomber]

You broke my sarcasm meter.

It's all a liberal plot

[spun]

DNS cache poisoning is a myth cooked up by the liberal media and DNS scientists to implement their anti capitalist agenda.

And if it isn't a myth, then it certainly isn't man made, it's a natural phenomenon and there's nothing we can do about it.

Re:ATTENTION MODERATORS: MOD PARENT DOWN

[spun]

Uh oh, somebody call the whaaaaambulance, we're going to need to perform a humor transplant here!

Re:ATTENTION MODERATORS: MOD PARENT DOWN

[Goaway]

User ID 1352 trollin' it old skool!

Re:Not so simple.

[skarphace]

Only if you have a method for authenticating the other side of the phone conversation.

Visit the website and get the phone number, of course!

Don't worry, Mr. Vixie

[93+Escort+Wagon]

Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.

The patch is now in my crontab and set to run on the 6th.