I’ve seen several people making the argument similar to your point: “Reverse engineers are encouraged to have a gander, speculation is good”, which doesn’t mesh with what Dan actually communicated with the public. What Dan explicitly encouraged was further investigation and scrutiny of DNS (which is a good thing). What he explicitly discouraged was public speculation of the vulnerability (which of course is an arguable point). There was certainly no higher authority enforcing Dan’s requests, so it was up to the opinion of each and every researcher to judge his requests and guide their own actions. But saying that Dan encouraged speculation is inaccurate.

Also, the attack doesn’t rely on the birthday paradox. In fact, it’s even more simple. If you can play a game with a low probability of winning a large number of times, you can achieve a high probability of eventually winning one of the games. Since we can request an “unlimited” number of non-existent RRs, each with a low probability X/(2^16) of succeeding (where X is the number of TXIDs we’re able to successfully beat the authoritative server with in the race), we will eventually win the game and poison the cache by slipping in the malicious glue NS RR.

Regards,
Jon Oberheide

Sure you have to initiate the lookup via iframes/image tags/SPAM or compromised hosts to start the race in the first place, but with some form of ‘state’ and good filtering this shouldn’t be such an issue. Network configs can buy time to addess patching…. TIME is still the issue, both the start time and the response time…

Maybe I am missing something. Maybe not.