In message <20080708234533.B080B112872(a)wat.la.naos.co.nz>, Ewen McNeill writes:
See also, eg, http://isc.sans.org/diary.html?storyid=4687 which has some sane discussion of the issue [...]
It appears that someone guessed close enough to how the attack worked to cause one of the people "in the know" to post a confirmation, and then attempt to withdraw it -- but of course people have found traces of the confirmation description and mirrored it. So the cat seems to be out of the bag, and presumably the Bad Guys (tm) will now try to do this for real. See, eg, http://it.slashdot.org/it/08/07/21/2212227.shtml which has various cut'n'paste copies of what seems to be the confirmation description, plus a link to the guess that prompted it.
Amongst other things they suggest patching any recursive/caching DNS servers with vendor patches at the soonest suitable patch window.
If you haven't already patched your recursive/caching DNS servers used by customers, today would be a good day to do it. So says Dan Kaminsky who found the issue in the first place: http://www.doxpara.com/?p=1176 Also beware that the NAT in at least some firewalls has been reported to undo the port randomisation that the patch introduces, resulting in predictable port numbers again (and thus no increase in randomness or protection against this attack). Linux-based firewalls are reported to be okay (apparently by default they pass through the port number used by the client on outgoing UDP packets if they can), and presumably OpenBSD based ones are okay given their choice to randomise everything. But beware of running recursive DNS servers behind NAT on firewalls without checking what the outgoing packets look like -- if in doubt perhaps put your recursive DNS servers into the DMZ outside the NAT. Ewen