Re: Multiple DNS implementations vulnerable to cache poisoning

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Sean Donelan <sean () donelan com> wrote:

> On Wed, 9 Jul 2008, Steven M. Bellovin wrote:
> > How many ISPs run DNS servers for customers?  Start by signing those
> > zones -- that has to be done in any event.  Set up caching resolvers to
> > verify signatures.  "It is not your part to finish the task, yet you
> > are not free to desist from it."  (From the Talmud, circa 130.)
> >
> > No, I didn't say it would be easy, but if we don't start we're not
> > going to get anywhere.
>
> Are these the same ISPs that haven't started implementing other
> anti-spoofing controls like BCP38++?
>
> What is the estimated completion date to stop all spoofed IP packets,
> included but only DNS spoofing?

The second Tuesday of next week? ;-)

- - ferg (BCP38 Protagonist)

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl
wdnoEpm0aNTbg+2KHU0w94I=
=Uyns
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/