Dr. Joe and all, I don't know if OpenDNS has what your suggesting deployed. But it is slowly becoming far more clear that ICANN is not fully deploying or implementing DNSSEC. I cannot for certain determine as to why, however. I can only suspect that ICANN doesn't have the horses, nor does the IANA any longer, to properly implement DNSSEC. Same for IPSEC, BTW. Further, selling DNSSEC to Registries, Registrars, and Registrants, as well as ISP/IAP's is not going well, nor for that matter is IPv6, thank god. One should also consider or actually recognize that IP registries are far more security vulnerable than the roots, DN registries and registrars, or registrants. But I would like to believe and certainly hope that the GAC recognizes how important DNS security is, and to some degree why it is so. Let's hope that the FCC and DOC/NTIA can hold ICANN properly and fully accountable as well as liable as critical economic health and governmental infrastructure is at stake. Right now though the ignorance of DNS security as a necessity is still wide spread. The touchy-feely social engenerring folks and their associated groups don't see this as a significant danger. When they get bit, maybe than they will. What's needed IMPO is that DNS needs a major re-write, especially Bind. Vixie could do it, Bernstine could do it, I have along with my execellent technical staff, done it, and there are a precious few others that could do it, none are that interested, as it is a significant task. For the Social Engenerring folks not to understand how important this is, is beyond reasonable thinking. ICANN, the IANA, and especially the IETF know better, so ICANN's SSAC not adaquately addressing this is simply not excusable, and they know it! However Dr. Joe, we're not all "screwed", as you so elequently put it, yet. >:) However seems that we are all exposed, as it were.

:(

Joe Baptista wrote:

People, were all screwed thanks to this DNS vulnerability. It is truly a monster in the making and we are being bamboozled into thinking DNSSEC will save our sorry souls. And the ease of causing damage to internet infrastructure is enormous.

Every banking transaction, every communication channel can now be high jacked by any script kiddie with a network of bots. And we are being asked to settle for DNSSEC which is clear is not so secure and easily broken by - guess who - script kiddies. When the kiddies figure out how to control the DNS through these vulnerabilities were going to be a mess.

My main concern are the criminals who will soon also discover how these flaws can be exploited. Port randomization as has been show does not work. It just take more time to do. Bernsteins concern with the year 2015 is very real today.

I've asked Vixie some questions and gotten some replies. I hate to say this but the only real way left to guard against this attack is an intrusion detection system (IDS) to monitor any recursive DNS server and a good well behaved firewall.

I addressed the fix for these problems back Jan 2007 in the Public-Root Name Server Operational Requirements document published by INAIC. The sections are 4.2.7 to 4.2.9. The reference document is at the following URL.

http://www.publicroot.org/technical/root-server-standards.pdf

In any case thats what now needs to be done to secure DNS ASAP. A would recommend a smart IDS that not only detects but also based on a set of rules attempt to find and correct the answer or response to the DNS server in real time. I expect OpenDNS has this sort of thing deployed.

cheers joe baptista

-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827