[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Jay Daley jay at nominet.org.uk
Thu Jul 10 09:29:46 UTC 2008

vixie at isc.org wrote on 10/07/2008 07:28:06:

> lack of universal BCP38 deployment drives up the cost of everything else 
> develop or deploy -- it's the hidden tax on everything we do.  the 
> of attacks which spoof IP source addresses has to be accounted for in 
> design, and it's a risk that must be constantly and unendingly managed.


> that's a personal statement, dependendent upon facts not in evidence.  i
> prefer to note that if all men are mortal and socrates is a man then 
> is mortal, yet if IP spoofing isn't in daily universal use, but it could 
> used by almost anybody at almost any time, then BCP38 deployment is 

I completely agree.  The failure of the ISP community to universally 
implement BCP38 is an utterly shameful evasion of their responsibilities. 
When the regulators come calling at the ISPs door with some real intent to 
sort out Internet security, then I for one will have no sympathy 
whatsoever for pleas from the ISPs for reasonable regulation.


More information about the dns-operations mailing list