Multiple DNS implementations vulnerable to cache poisoning

Paul Ferguson fergdawg at netzero.net
Wed Jul 9 13:03:48 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Sean Donelan <sean at donelan.com> wrote:

>On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
>> How many ISPs run DNS servers for customers?  Start by signing those
>> zones -- that has to be done in any event.  Set up caching resolvers to
>> verify signatures.  "It is not your part to finish the task, yet you
>> are not free to desist from it."  (From the Talmud, circa 130.)
>>
>> No, I didn't say it would be easy, but if we don't start we're not
>> going to get anywhere.
>
>Are these the same ISPs that haven't started implementing other
>anti-spoofing controls like BCP38++?
>
>What is the estimated completion date to stop all spoofed IP packets,
>included but only DNS spoofing?

The second Tuesday of next week? ;-)

- - ferg (BCP38 Protagonist)

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl
wdnoEpm0aNTbg+2KHU0w94I=
=Uyns
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/






More information about the NANOG mailing list