Paul Vixie wrote:
...
Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.
As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do you
offer which we can use today?
on any given day, there's always something broken somewhere.
in dns, there's always something broken everywhere.
since malware isn't breaking dns, and since dns not a vector per se, the
idea of changing dns in any way to try to control malware strikes me as
a way to get dns to be broken in more places more often.
I'd say it's a way to get DNS to be more inconsistent and it's likely to
happen. Broken is both in the eye of the beholder and in the eye of the
end-user.
but, isp's responsible for large broadband populations could do this in their
recursion farms
That's right. And it will perpetuate the arms race of whitehats vs.
blackhats. But that's no reason not to add intelligence into the DNS --
either in-band or out-of-band. Most of us already do some level of DNS
intelligence out-of-band (passive dns, uribls, etc) and the power of
doing it in-band is a logical next step.
fundamentally, this isn't a dns technical problem, and using dns technology
to solve it will either not work or set a dangerous precedent. and since
the data is authentic, some day, dnssec will make this kind of poison
impossible.
Unfortunately, that day, if it ever comes, will come after bot herders
stop using DNS to manage their botnets because other mitigation
strategies will have already forced them to move on.
-David
