> So is this patch a "true" fix or just a temporary fix until further > work can be done on the problem?
the only true fix is DNSSEC. meanwhile we'll do UDP port randomization, plus we'll randomize the 0x20 bits in QNAMEs, plus we'll all do what nominum does and retry with TCP if there's a QID mismatch while waiting for a response, and we'll start thinking about using TKEY and TSIG for stub-to-RDNS relationships. but the only true long term fix for this is DNSSEC. all else is bandaids, which is a shame, since it's a sucking chest wound and bandaids are silly. > But it that truly an end-all fix, or is this just the initial cry to stop > short-term hijacking? all we're trying to do is keep the 'net running long enough to develop and deploy DNSSEC, which would be much harder if updates.microsoft.com almost never points to a microsoft-owned computer. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
