Multiple DNS implementations vulnerable to cache poisoning

Sean Donelan sean at
Wed Jul 9 17:55:52 UTC 2008

On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
> How many ISPs run DNS servers for customers?  Start by signing those
> zones -- that has to be done in any event.  Set up caching resolvers to
> verify signatures.  "It is not your part to finish the task, yet you
> are not free to desist from it."  (From the Talmud, circa 130.)
> No, I didn't say it would be easy, but if we don't start we're not
> going to get anywhere.

Are these the same ISPs that haven't started implementing other
anti-spoofing controls like BCP38++?

What is the estimated completion date to stop all spoofed IP packets,
included but only DNS spoofing?

More information about the NANOG mailing list