Is anyone else really, really sick of hearing about this "new" DNS vulnerability? I am.
I've been reading about it, the exploits, the infighting between some of our own, the disclosure, the massive coordinated effort to create patches, and DJBDNS's "ha ha". I'm over it.
The first really refreshing blog post/article on this topic that I've seen in weeks came when I hit Errate Security's page and read Robert Graham's article, "The DNS is Falling". Robert seemed to hit all the important points, and quite honestly it's about time. The "big picture", "missing the forest for the trees"... whatever cliche you want to use - we [the security industry] have done it.
Here's my point. As I commented on Robert's blog, the part that should worry everyone who's followed this issue isn't that there is a major new security defect in the way that DNS could be manipulated by evil hax0rs... it's that we have known about this type of attack against DNS for many, many, many years yet have chosen to sit on our hands. It's absolutely mind-boggling to me that with all the talented and brilliant minds that I've met or read about out there in IT Security we have, in 2008, a rediculously gaping design flaw in the underpinnings [nay, the foundation] of the Internet. ... we're so focused on sexy new technologies that we've completely swept this bugger under the rug and hoped no one would ever notice.
That, my friends, demonstrates to me that we have a much bigger problem in our industry.