On 26-Jul-2008, at 09:38 , Ben Croswell wrote: > I also see a lot of people calling for DNSSEC to fix the underlying > issue, > but unless I am mistaken DNSSEC won't fix the issue unless we have > close to > 100% adoption rate.
DNSSEC fixes the problem for each pair of a signed domain and a validating caching server. So, you can be half of the solution by making sure validation is turned on in your caching servers. Rollout of signed domains (particularly from the root and TLDs) will take longer, but I strongly suspect that this exploit is the killer app we've been waiting for... just slightly more literally than we hoped. Matt
