BIND-USERS, One issue about this exploit that I think a lot of people may be overlooking is the fact that it does not directly impact the OWNER of the DNS records in question, but the CONSUMERS of that data.
As the owner of "my-cheap-rail-tickets-online.com", you can patch everything you own, insure that your firewalls are perfect, and hire five extra DNS admins, but it's not going to help you keep your clients healthy and happy. Your clients are the mom-n-pop users -- the folks at the end of the ISP's feeding chain. The people that don't the difference between the US state code for Tennessee and the country code for Tunisia. The folks using "Billy Bob's Bait-and-Tackle (and Internet Stuff)" as a provider. Your business depends on Billy Bob getting his recursive servers fixed so that your customers can still get to your website (or the websites of your co-located customers, etc.) Does that scare anyone? It scares me.. a lot. How do we get out and inform Billy Bob that something that has been working just fine for years is suddenly not quite so perfect and that his customers might be affected. Additionally, Billy Bob's customers are going to be affected in ways that don't directly affect his operations, so it's hard to get him to understand why he needs to do anything. His customers will still be sending him the check every month even if their login information for "my-cheap-rail-tickets" was siphoned off to someone in a foreign land. By being on this list, you have proven that you actually are interested in the DNS infrastructure. If you look around, you won't see Billy Bob here, and yet, he affects YOUR customers, and by that, your profit margin (or reputation). What can we as the bind-users community do about Billy Bob? Have you contacted your local ISPs (or tested their servers since they well may be open recursors?) Have you pounded the pavement and talked to folks at your local users groups and tech gatherings about the problem? I'm willing for anyone to use my slides (http://alan.clegg.com/800113) as the basis for spreading the word. Make presentations. Tell your friends. Tell your colleagues. TELL YOUR COMPETITION. I'm planning to have a video of me giving the presentation on-line soon so that the nuances of the presentation are more clear, but if you have any questions regarding it before then, please send me mail (off-list). The storm is coming.. have you done your part? AlanC
