Multiple DNS implementations vulnerable to cache poisoning
Sean Donelan
sean at donelan.com
Wed Jul 9 17:55:52 UTC 2008
On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
> How many ISPs run DNS servers for customers? Start by signing those
> zones -- that has to be done in any event. Set up caching resolvers to
> verify signatures. "It is not your part to finish the task, yet you
> are not free to desist from it." (From the Talmud, circa 130.)
>
> No, I didn't say it would be easy, but if we don't start we're not
> going to get anywhere.
Are these the same ISPs that haven't started implementing other
anti-spoofing controls like BCP38++?
What is the estimated completion date to stop all spoofed IP packets,
included but only DNS spoofing?
More information about the NANOG
mailing list