I casually read Halvar Flake's post speculating on the nature of the DNS flaw this evening. Everyone and their brother appears to be in panic mode over this, but I was blown away by the simplicity. Halvar might have missed a small detail or two, but apparently, he got it more or less correct. But there must be more to it than this, right?
If not, then could it be that such an obvious flaw has been overlooked for more than twenty years because it's so ridiculously simple? Everyone that should have known and/or fixed this missed it due to it's simplicity, yet someone with an inquiring mind yet little knowledge of DNS can figure it out because they have no prior experience with the protocol? If you had detailed this to me a few months ago, I would have probably said that there's no way it would work, simply because it's so, well, simple. Surely, it couldn't be possible. But apparently it is, and using the dig test from dns-oarc.net, Neal Krawetz found that quite a few provider DNS servers are still unpatched.
Frankly, I'm not sure whether I should be shocked or start looking for Alan Funt hiding behind a plant.