Multiple DNS implementations vulnerable to cache poisoning
Paul Ferguson
fergdawg at netzero.net
Wed Jul 9 18:03:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Sean Donelan <sean at donelan.com> wrote:
>On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
>> How many ISPs run DNS servers for customers? Start by signing those
>> zones -- that has to be done in any event. Set up caching resolvers to
>> verify signatures. "It is not your part to finish the task, yet you
>> are not free to desist from it." (From the Talmud, circa 130.)
>>
>> No, I didn't say it would be easy, but if we don't start we're not
>> going to get anywhere.
>
>Are these the same ISPs that haven't started implementing other
>anti-spoofing controls like BCP38++?
>
>What is the estimated completion date to stop all spoofed IP packets,
>included but only DNS spoofing?
The second Tuesday of next week? ;-)
- - ferg (BCP38 Protagonist)
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl
wdnoEpm0aNTbg+2KHU0w94I=
=Uyns
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the NANOG
mailing list