Over the past few years--I can't remember exactly when, which is part of the problem--I've become alarmingly forgetful.  I'll get up, walk across the building to do something, and forget completely what it was that I intended to do.  Talk to Julie about upcoming roundtables?  Ask Eric or Arlen a question about UI design?

That's a nuisance for me around the office, but it would be downright dangerous if anyone still let me manage a production zone or name server.

Even in the simplest DNS environments, there's a lot to remember:  An SOA record has seven RDATA fields.  Use a trailing dot to prevent the origin from being appended to a domain name.  After editing a zone data file, increment the serial number and reload. Forget any one of those and you've caused an operational issue, maybe even an outage.

Read more...

The consequences of a successful cache-poisoning attack are so dire that describing them inevitably sounds like hyperbole:  A hacker who poisons the cache of a recursive name server can redirect users of that name server to web sites that appear identical to those run by their banks, insurers, or governments, where their logins, passwords, and financial information is recorded for later reuse.  He can reroute email through hostile mail servers, where that mail is surreptitiously modified for his gain, or simply copied and stored, with neither sender nor recipient aware.  Virtually every non-trivial transaction that takes place on the Internet relies on DNS, so in a real sense, widespread vulnerability to cache poisoning means the end of trust on the Internet.

Read more...