Re: Multiple DNS implementations vulnerable to cache poisoning

• From: Paul Ferguson
• Date: Wed Jul 09 14:05:43 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Sean Donelan <[email protected]> wrote:

>On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
>> How many ISPs run DNS servers for customers?  Start by signing those
>> zones -- that has to be done in any event.  Set up caching resolvers to
>> verify signatures.  "It is not your part to finish the task, yet you
>> are not free to desist from it."  (From the Talmud, circa 130.)
>>
>> No, I didn't say it would be easy, but if we don't start we're not
>> going to get anywhere.
>
>Are these the same ISPs that haven't started implementing other
>anti-spoofing controls like BCP38++?
>
>What is the estimated completion date to stop all spoofed IP packets,
>included but only DNS spoofing?

The second Tuesday of next week? ;-)

- - ferg (BCP38 Protagonist)

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl
wdnoEpm0aNTbg+2KHU0w94I=
=Uyns
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

• Prev by Date: Re: Multiple DNS implementations vulnerable to cache poisoning
• Next by Date: Re: Multiple DNS implementations vulnerable to cache poisoning
• Date Index
• Thread Index
• Author Index
• Historical