More info in a podcast interview
Posted Jul 8, 2008 23:25 UTC (Tue) by rfunk
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
interview with Dan Kaminsky has more information.
His simple message is "if it recurses, patch it, but non-recursive clients
are also affected as a lesser priority."
"Dan Bernstein completely solved a big security issue he didn't even know
about!" with port randomization. But 16-bit randomization isn't enough;
they're adding another 11-14 bits of randomization. It also involves the
"Even I gotta admit, maybe there is something to this whole DNSSEC
thing...." (but he still isn't saying DNSSEC is workable.)
to post comments)