North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Multiple DNS implementations vulnerable to cache poisoning

  • From: Steven M. Bellovin
  • Date: Wed Jul 09 12:11:37 2008

On Wed, 9 Jul 2008 12:05:38 -0400
"Christopher Morrow" <[email protected]> wrote:

> On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin
> <[email protected]> wrote:
> 
> > The ISC web page on the attack notes "DNSSEC is the only definitive
> > solution for this issue. Understanding that immediate DNSSEC
> > deployment is not a realistic expectation..."  I wonder what NANOG
> > folk can do about the second part of that quote...
> 
> get the root zone signed, get com/net/org/ccTLD's signed.. oh wait,
> that's not nanog... doh!
> 
> Pressure your local ICANN officers?
> 
How many ISPs run DNS servers for customers?  Start by signing those
zones -- that has to be done in any event.  Set up caching resolvers to
verify signatures.  "It is not your part to finish the task, yet you
are not free to desist from it."  (From the Talmud, circa 130.)

No, I didn't say it would be easy, but if we don't start we're not
going to get anywhere.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb