That's all well and good, but Dan Kaminsky's recent advisory took the unusual step in that 1) the details weren't released at the time of the advisory/patch and 2) he asked others to keep the details quiet if they figured it out. The question is why? The stated reason is to give organizations the time to patch their DNS servers before the bad guys figured out the exploit. Well, that's just wishful thinking.
If you want to keep a secret, don't tell anyone. If you do tell someone a secret, chances are, they will tell someone else. Your secret is gone. It's amazing that Kaminsky and the vendors working on the patch were able to keep the secret for the 8 months they were coordinating the patch. But once the news is out, it's only a matter of time before the bad guys figure out what the problem is and how to exploit it. For that matter, once a patch is released, reverse engineering the patch to find the vulnerability is like leaving a trail of bread crumbs for anyone skilled enough to follow. There are even investigations by researchers at Carnegie Mellon, UC Berkeley, and University of Pittsburgh into automating the process.
Kaminsky violated rule #1 in security: obscurity doesn't work. Ever. In fact, the way this whole thing was managed, Kaminsky was practically begging for someone to come along and break the details. Does anyone think the bad guys were not working on this very problem the moment they saw the announcement and ensuing speculation? Or that they couldn't figure it out in a short time? Of course not.
I think the 30-day suppression period, time to fill Kaminsky's session at Black Hat in Vegas, hurt more than it helped. The backlash and speculation wasn't stemmed. The details still came out early. And really, if you hadn't patched your DNS by now, is this going to motivate you? Probably not. But next time, just come clean with the details when the advisory and patch is announced, lest you be outted by your peers.
One last thing. The details are being pulled from sites that have it posted. You can find the details on Slashdot. Or you can e-mail me and I will send it to you.