George and all, Good idea and also a good question. It appears that ICANN's SSAC is unwilling or unable to address this long standing and glaring problem that endangers us all on a global basis. It BTW is not a new problem by any means. It's been around for years. Thanks to CERT, by the insistence of some of us security professionals hammering them, it has finally been recognized as a huge security problem. Maybe DHS or the USDOJ can apply some pressure on ICANN to either act, or get out of the way. It's also very clear that the ALAC has seemingly not identified this security problem as being very important either. I suppose or can only surmise that the ALAC and the ALS'es could care less how many users are damaged by this problem. Certainly they cannot claim that they were not made aware. So it seems that it's full speed ahead and dam the torpedoes as fast tracking IDN ccTLD's, new gTLD's, IDN gTLD's, Fast-Flux, anti-phishing, and other less important issues is ICANN's policy priorities. See: http://www.icann.org/topics/policy/ But thank you again George, for bringing this serious security problem back into the public eye. George Kirikos wrote:

Hello,

ICANN and VeriSign have been oddly quiet over the entire DNS cache poisoning issue:

http://www.kb.cert.org/vuls/id/800113 http://www.circleid.com/posts/87143_dns_not_a_guessing_game/ http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172

PIR has a pending proposal to implement DNSSEC for .org:

http://www.icann.org/registries/rsep/

Is that something that VeriSign has plans to accelerate for the important .com and .net registries, in order to prevent a long-term meltdown in DNS confidence/trust should DNS cache poisoning become widespread in August and beyond?

No need for a "formal" press release, but I think the community deserves to know that people are working on the long-term solution to this problem, and making it a higher priority relative to other lesser issues.

Point #14 in the latest policy newsletter appears to be the only "hint" that a few people are working on things:

http://www.icann.org/topics/policy/update-jul08.htm#14

Hopefully something will happen before Cairo, as by then there might be widespread disruptions to the internet. Perhaps the Board might want to consider an early special meeting this week or next:

http://www.icann.org/minutes/

instead of waiting until July 31st, in conjunction with the SSAC.

Sincerely,

George Kirikos http://www.kirikos.com/

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827