On 26-Jul-2008, at 09:38 , Ben Croswell wrote:

> I also see a lot of people calling for DNSSEC to fix the underlying
> issue,
> but unless I am mistaken DNSSEC won't fix the issue unless we have
> close to
> 100% adoption rate.

DNSSEC fixes the problem for each pair of a signed domain and a
validating caching server. So, you can be half of the solution by
making sure validation is turned on in your caching servers. Rollout
of signed domains (particularly from the root and TLDs) will take
longer, but I strongly suspect that this exploit is the killer app
we've been waiting for... just slightly more literally than we hoped.