[ga] Paul Vixie Responds To DNS Hole Skeptics

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

All,

  I am very sorry to say that in this instance I partly disagree with
Paul's response.  He has known of this Hole for years and also
knew what needed to be done to fix it.  So did ICANN and the
IANA.  Please see the old DNSO archives for confirmation.
Durring that time, Paul and I had several disagreements regarding
Bind and DNS.  However we also agreed on a number of things
that were obviously security exposiers and within a month of so
Paul put out via his ISC company, fixes accordingly.
DNSO acrhives can be found at:
http://www.dnso.org/dnso/gaarchives.html

See:
The recent massive, multi-vendor DNS patch advisory
related to
http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
DNS cache poisoning vulnerability, discovered by Dan
Kaminsky, has made headline news. However, the secretive preparation
prior to the July 8th announcement and hype around a promised full
disclosure of the flaw by Dan on August 7 at the Black Hat conference
has
generated a fair amount of backlash and skepticism among hackers and the

security research community. In a post on CircleID,
http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
Paul Vixie offers his usual straightforward response to these
allegations.
The conclusion:
'Please do the following. First, take the advisory seriously  we're not
just a bunch of n00b alarmists, if we tell you your DNS house is on
fire,
and we hand you a fire hose, take it. Second, take Secure DNS seriously,

even though there are intractable problems in its business and
governance
model  deploy it locally and push on your vendors for the tools and
services you need. Third, stop complaining, we've all got a lot of work
to do by August 7 and it's a little silly to spend any time arguing when

we need to be patching.

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827