Multiple DNS implementations vulnerable to cache poisoning

Joe Abley jabley at ca.afilias.info
Wed Jul 9 16:32:13 UTC 2008


On 9 Jul 2008, at 12:05, Christopher Morrow wrote:

> On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <smb at cs.columbia.edu 
> > wrote:
>
>> The ISC web page on the attack notes "DNSSEC is the only definitive
>> solution for this issue. Understanding that immediate DNSSEC  
>> deployment
>> is not a realistic expectation..."  I wonder what NANOG folk can do
>> about the second part of that quote...
>
> get the root zone signed, get com/net/org/ccTLD's signed.. oh wait,
> that's not nanog... doh!

The timeline for signing ORG was presented by PIR at the recent ICANN  
meeting in Paris.

   http://par.icann.org/files/paris/RaadDNSSEC.pdf

The estimated timeline expressed that slide would have a signed ORG  
zone containing some DS records by the beginning of next year, with  
full mainstream availability (such that any registrant could use a  
DNSSEC-capable registrar to request a secure delegation) in 2010.


Joe





More information about the NANOG mailing list