Joe and all, First, IMO, Joe is correct that DNSSEC will not save or fix any problems that are software related to DNS/BIND or client interfaces that are OS specific but were based upon what was known about Bind at the time of their creation. Second, Burnsteins DNS/BIND is only ONE version of DNS/BIND that is very secure. Our BindPlus is also very secure as well, no reported security problems reported in 49 months, and never a serious security hole found or reported sense it's release. Third, I respectfully disagree that ICANN can't do anything. They could have done allot over 6 years ago, and scoffed at anyone other than Paul Vixies Bind 8 at that time. That was a mistake, and many knew it but were silent publically. Forth, Joe is right, that with a little software Eng. forsight and expermintation most of the DNS/BIND security Holes are fixable and customizably so. What is missing is that there are very few GOOD software Eng., and even fewer that have an in depth understanding of DNS. Fifth, it is huge security problems like this that are bound to occur as long as social Eng. are making software decisions or managment decisions that are grounded in security and/or software. That's a leadership problem, and in this instance it is a ICANN leadership problem. Joe Baptista wrote:

On Wed, Aug 6, 2008 at 10:46 PM, George Kirikos <gkirikos@yahoo.com> wrote:

Hello,

Just to followup, ICANN sent out a news release earlier:

http://www.icann.org/en/announcements/announcement-06aug 8-en.htm

It's a step in the right direction, to help educate folks. However, there's no true "fix", as the protocol itself is broken. A move towards DNSSEC or other secure DNS would be the only appropriate long-term solution.

There is nothing wrong with the protocol. Its the software thats the issue. And this is easy to fix. I've run some tests and with a little DNS magic you can make you DNS very secure.

Another big help would be to update your software including any NAT devices.

The whole DNSSEC thing is another red herring in the making.

Also there is nothing ICANN nor anyone else can do about this. The world is running a lot of insecure servers. BIND has always been buggy and true to form it will continue to be buggy. Have you any idea how many buggy systems are out there. i.e. almost all of them. Unless of course your running burnsteins DNS which already fixed this problem a long time ago.

It bother me that people who have no idea what the technical issues are get so easily baited by this issue. George - let go the ICANN red herring. Its just another smoke screen.

The real issue here is what sort of out reach programs is ICANN involved in to get people to upgrade and fix their buggy dns servers. DNSSEC is not going to save them.

cheers joe baptista

If there's ever a cyber 9/11, as Lessig discussed at:

http://news.slashdot.org/article.pl?sid=08/08/05/220229

widespread DNS cache poisoning might be one of the root causes.

I'd like to hear from VeriSign as to whether they're planning to implement DNSSEC or a secure DNS alternative for .com/net, as PIR intends for .org.

Sincerely,

George Kirikos http://www.kirikos.com/

--- George Kirikos <gkirikos@yahoo.com> wrote:

> > Hello, > > ICANN and VeriSign have been oddly quiet over the entire DNS cache > poisoning issue: > > http://www.kb.cert.org/vuls/id/800113 > http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

> http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172

> > PIR has a pending proposal to implement DNSSEC for .org: > > http://www.icann.org/registries/rsep/ > > Is that something that VeriSign has plans to accelerate for the > important .com and .net registries, in order to prevent a long-term > meltdown in DNS confidence/trust should DNS cache poisoning become > widespread in August and beyond? > > No need for a "formal" press release, but I think the community > deserves to know that people are working on the long-term solution to > this problem, and making it a higher priority relative to other > lesser > issues. > > Point #14 in the latest policy newsletter appears to be the only > "hint" > that a few people are working on things: > > http://www.icann.org/topics/policy/update-jul08.htm#14 > > Hopefully something will happen before Cairo, as by then there might > be > widespread disruptions to the internet. Perhaps the Board might want > to > consider an early special meeting this week or next: > > http://www.icann.org/minutes/ > > instead of waiting until July 31st, in conjunction with the SSAC. > > Sincerely, > > George Kirikos > http://www.kirikos.com/

-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827