[105910] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Jul 9 13:57:26 2008
Date: Wed, 9 Jul 2008 13:55:52 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20080709121127.63a6c8f5@yellowstone.machshav.com>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
> How many ISPs run DNS servers for customers? Start by signing those
> zones -- that has to be done in any event. Set up caching resolvers to
> verify signatures. "It is not your part to finish the task, yet you
> are not free to desist from it." (From the Talmud, circa 130.)
>
> No, I didn't say it would be easy, but if we don't start we're not
> going to get anywhere.
Are these the same ISPs that haven't started implementing other
anti-spoofing controls like BCP38++?
What is the estimated completion date to stop all spoofed IP packets,
included but only DNS spoofing?
