nanog mailing list archives
Re: Multiple DNS implementations vulnerable to cache poisoning
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 9 Jul 2008 12:11:27 -0400
On Wed, 9 Jul 2008 12:05:38 -0400 "Christopher Morrow" <morrowc.lists () gmail com> wrote:
On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <smb () cs columbia edu> wrote:The ISC web page on the attack notes "DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation..." I wonder what NANOG folk can do about the second part of that quote...get the root zone signed, get com/net/org/ccTLD's signed.. oh wait, that's not nanog... doh! Pressure your local ICANN officers?
How many ISPs run DNS servers for customers? Start by signing those zones -- that has to be done in any event. Set up caching resolvers to verify signatures. "It is not your part to finish the task, yet you are not free to desist from it." (From the Talmud, circa 130.) No, I didn't say it would be easy, but if we don't start we're not going to get anywhere. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: Multiple DNS implementations vulnerable to cache poisoning, (continued)
- Re: Multiple DNS implementations vulnerable to cache poisoning Simon Waters (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Tuc at T-B-O-H.NET (Jul 11)
- Re: Multiple DNS implementations vulnerable to cache poisoning Brian Keefer (Jul 25)
- Re: Multiple DNS implementations vulnerable to cache poisoning Joe Greco (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jeffrey Ollie (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
- RE: Multiple DNS implementations vulnerable to cache poisoning Martin Hannigan (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Sean Donelan (Jul 09)