The worst thing about the exploit -- Have you done your part?
Jeff A. Earickson
jaearick at colby.edu
Mon Jul 28 18:27:58 UTC 2008
On Sat, 26 Jul 2008, Alan Clegg wrote:
> Date: Sat, 26 Jul 2008 11:41:10 -0400
> From: Alan Clegg <Alan_Clegg at isc.org>
> To: Ben Croswell <ben.croswell at gmail.com>, DNS BIND <bind-users at isc.org>
> Subject: Re: The worst thing about the exploit -- Have you done your part?
>
> Ben Croswell wrote:
>> I also see a lot of people calling for DNSSEC to fix the underlying
>> issue, but unless I am mistaken DNSSEC won't fix the issue unless we
>> have close to 100% adoption rate.
>
> I'm using DLV to do DNSSEC validation right now, as are all the queries
> of my upstream ISP.
>
> I have a bunch of domains that you can validate using DNSSEC including
> 'clegg.com'.
>
> See another presentation of mine here: http://alan.clegg.com/dnssec for
> information on deploying DNSSEC in your environment TODAY!
>
> Yes, there needs to be more infrastructure work done to get it deployed
> globally, but why not begin the deployment at the (grass) roots?
I got to ask the painfully obvious question... Why hasn't DNSSEC started
at the top? Why aren't the root servers supporting it? Why isn't .com,
.org, .edu rolling this out? The .com domain has the most to loose by not
having DNSSEC, since every bank and entity-to-steal-from on the planet lives
in this domain. Not that I'm opposed to the grassroots, it just seems
backwards.
Jeff Earickson
Colby College
More information about the bind-users
mailing list