[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Patrick W. Gilmore patrick at ianai.net
Fri Jul 11 15:28:43 UTC 2008

On Jul 11, 2008, at 10:03 AM, Lutz Donnerhacke wrote:
> * Patrick W. Gilmore wrote:
>> I know people think I am being silly these days, but I have another
>> silly question: If BCP38 were implemented Internet-wide, how exactly
>> would you poison a recursive name server?
> From inside the AS, i.e. from the LAN.

First, LAN != AS.  If I have a server on the same _LAN_ as yours, you  
have other problems.

Second, does BCP38 does not say "only filter at your AS boundary"?   
uRPF is much more granular than that.


More information about the dns-operations mailing list