"In a WORLD where ONE MAN holds the KEY to the entire INTERNET!"
What were the odds I'd get to say that twice in one day?
Just don't say it a third time, lest you create an unkillable meme...
Or John Markoff?
Ridiculous. I doubt Vixie said that.
Other DNS servers like DJB-DNS and PowerDNS have implemented proper port randomization as part of their design a LONG time ago. As a result of that those servers are completely unaffected by this DNS exploit.
Vixie and his Bind crew ignored the whole thing for a long time until it blew up in their face. Now it it just an excuse to roll out the monster that is called DNSSEC of course. Great marketing.
I predict, without any real evidence to back me up, that DNSSEC is DOA for a simple reason: the total Internetwide deployment of resolver libraries with a "gethostbyname()" interface; none of these libraries can handle transient or "soft" DNS security failures. SSL, a protocol that is far, far easier to deploy and manage than DNSSEC, sees transient errors so often that users are rebelling against the size of the error messages Firefox generates for them. DNSSEC transient failures kill your lookup.
I can give lots of other reasons why DNSSEC isn't going to work, but that's one you might not have thought of.
(Thomas Ptacek in the article == tptacek on Hacker News)
Not exactly a "summary", but... http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm...