[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Paul Vixie vixie at isc.org
Thu Jul 10 06:28:06 UTC 2008

> bcp38 is useful but not vital.  we do not suffer serious spoofing
> attacks despite years of fud about it.

i think we all suffer indirectly, and that some of us also suffer directly,
and that this suffering is quite serious.  allow me to explain.

> and it is not really critical to this particular vulnerability.

all of the attacks described or mitigated by 


rely on spoofing the IP source address.  i would go as far as to say that if
BCP38 were universally implemented, there would be no forgery-resilience draft
and no CERT VU#800113 and no need for udp source port randomization nor for
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00.  even the case for
Secure DNS depends somewhat on the continued nonuniversal deployment of BCP38.

> but it sure is religion for some people.

lack of universal BCP38 deployment drives up the cost of everything else we
develop or deploy -- it's the hidden tax on everything we do.  the possibility
of attacks which spoof IP source addresses has to be accounted for in every
design, and it's a risk that must be constantly and unendingly managed.

folks also do use it from time to time to do evil.  not all day every day, and
apparently not in a way that everybody everywhere notices directly.  and i'll
grant that the potential problem is greater than the day to day problem...
for now... until august 6.

> but you already knew i was not sane.

that's a personal statement, dependendent upon facts not in evidence.  i
prefer to note that if all men are mortal and socrates is a man then socrates
is mortal, yet if IP spoofing isn't in daily universal use, but it could be
used by almost anybody at almost any time, then BCP38 deployment is vital.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list