On 26/07/2008, at 1:58 AM, Joe Abley wrote:
On 25 Jul 2008, at 02:33, Paul McKitrick wrote:
In early July CCIP met with NZ Registry Services to discuss this issue and determine who the most appropriate audience for this information would be. Because of the sensitivity of this it was determined that the NZNOG mailing list would not be appropriate as it is an open forum with over 800 registered participants.
For my money, at that time, that would have made NZNOG an ideal place to start making noise about the problem.
http://www.kb.cert.org/vuls/id/800113 was published on 7 July. Keeping things quiet after that date seems like quite the wrong thing. What would have been much better would have been a concerted and noisy public airing of the problem, carried out by people who understood it and knew how to answer the (understandably) doubtful responses to it ("isn't this the same thing that was first announced in 2002?", etc.)
Ah, I had "go find a timeline for this DNS thing and reply to NZNOG" on my to do list for tonight. My response was going to be much the same as Joe's - once this stuff is published in a security forum, those who would use it maliciously probably already know, and those who need to do something to patch this probably don't. -- Nathan Ward