[105903] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Jul 9 12:32:29 2008
From: Joe Abley <jabley@ca.afilias.info>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <75cb24520807090905p75554c13l5f45796107551068@mail.gmail.com>
Date: Wed, 9 Jul 2008 12:32:13 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On 9 Jul 2008, at 12:05, Christopher Morrow wrote:
> On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <smb@cs.columbia.edu
> > wrote:
>
>> The ISC web page on the attack notes "DNSSEC is the only definitive
>> solution for this issue. Understanding that immediate DNSSEC
>> deployment
>> is not a realistic expectation..." I wonder what NANOG folk can do
>> about the second part of that quote...
>
> get the root zone signed, get com/net/org/ccTLD's signed.. oh wait,
> that's not nanog... doh!
The timeline for signing ORG was presented by PIR at the recent ICANN
meeting in Paris.
http://par.icann.org/files/paris/RaadDNSSEC.pdf
The estimated timeline expressed that slide would have a signed ORG
zone containing some DS records by the beginning of next year, with
full mainstream availability (such that any registrant could use a
DNSSEC-capable registrar to request a secure delegation) in 2010.
Joe
