Re: Multiple DNS implementations vulnerable to cache poisoning

• From: Sean Donelan
• Date: Wed Jul 09 13:57:22 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

How many ISPs run DNS servers for customers?  Start by signing those
zones -- that has to be done in any event.  Set up caching resolvers to
verify signatures.  "It is not your part to finish the task, yet you
are not free to desist from it."  (From the Talmud, circa 130.)

No, I didn't say it would be easy, but if we don't start we're not
going to get anywhere.

Are these the same ISPs that haven't started implementing other
anti-spoofing controls like BCP38++?

What is the estimated completion date to stop all spoofed IP packets,
included but only DNS spoofing?

• References:
  • Multiple DNS implementations vulnerable to cache poisoning Buhrmaster, Gary
  • Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin
  • Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow
  • Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin

• Prev by Date: Re: Multiple DNS implementations vulnerable to cache poisoning
• Next by Date: Re: Multiple DNS implementations vulnerable to cache poisoning
• Date Index
• Thread Index
• Author Index
• Historical