I have been available for comment since Friday

night, but an update containing my response

has yet to be posted.

I take issue with Dan Kaminsky's fixation on

the necessity of forcing operators of caching

servers everywhere to accept unscheduled changes

(i.e. before the TTLs of the original records

they hold expire) from authoritative domains.

I believe this should be left as a choice each

operator makes by turning a configuration option

on or off: ignore unscheduled updates to reduce

their attack surface, or accept them for faster

convergence in case of unscheduled changes made

by important domain operators who lack redundancy

or forethought...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/808/2587#2587