[105911] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Wed Jul 9 14:05:43 2008
From: "Paul Ferguson" <fergdawg@netzero.net>
Date: Wed, 9 Jul 2008 18:03:48 GMT
To: sean@donelan.com
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Sean Donelan <sean@donelan.com> wrote:
>On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
>> How many ISPs run DNS servers for customers? Start by signing those
>> zones -- that has to be done in any event. Set up caching resolvers =
to
>> verify signatures. "It is not your part to finish the task, yet you
>> are not free to desist from it." (From the Talmud, circa 130.)
>>
>> No, I didn't say it would be easy, but if we don't start we're not
>> going to get anywhere.
>
>Are these the same ISPs that haven't started implementing other
>anti-spoofing controls like BCP38++?
>
>What is the estimated completion date to stop all spoofed IP packets,
>included but only DNS spoofing?
The second Tuesday of next week? ;-)
- - ferg (BCP38 Protagonist)
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl
wdnoEpm0aNTbg+2KHU0w94I=3D
=3DUyns
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
