[colmmacc]

I think you're talking past each other and saying the same thing. There never was a Kaminsky bug. There was no new vulnerability. There was a new attack.

Kaminsky figured out how to build a much more practical way to exploit what was known already. This was very significant, and it's one of the ultimate examples of PoC||GTFO finally triggering action. He deserves a lot of credit.

[tptacek]

Sure! I feel like repeated spoofing bids through authority records on responses to random in-bailiwick queries is a novel protocol vulnerability but wouldn't die on the hill of it being instead a new class of attack; we all agree that inadequate randomness is the original sin here.