The worst thing about the exploit -- Have you done your part?
Matthew Pounsett
matt at conundrum.com
Sat Jul 26 15:19:56 UTC 2008
On 26-Jul-2008, at 09:38 , Ben Croswell wrote:
> I also see a lot of people calling for DNSSEC to fix the underlying
> issue,
> but unless I am mistaken DNSSEC won't fix the issue unless we have
> close to
> 100% adoption rate.
DNSSEC fixes the problem for each pair of a signed domain and a
validating caching server. So, you can be half of the solution by
making sure validation is turned on in your caching servers. Rollout
of signed domains (particularly from the root and TLDs) will take
longer, but I strongly suspect that this exploit is the killer app
we've been waiting for... just slightly more literally than we hoped.
Matt
More information about the bind-users
mailing list