[dns-operations] Trend/ISC DNS Changer takedown.

Dobbins, Roland rdobbins at arbor.net
Fri Nov 11 10:36:58 UTC 2011

On Nov 11, 2011, at 4:58 PM, Peter Koch wrote:

> wouldn't it be of great help if everybody just protected their customers/users from falling victim to this evil by applying the appropriate access lists?

. . . and if they all deployed anti-spoofing at their edges, and if they deployed all the network infrastructure self-protection BCPs, and if they . . . well, you get the idea.


But DNSSEC has to be baked all the way down into the libs and the client/server OSes and the apps in order to be truly effective - and even then, unless/until libs and OSes are cryptographically signed and enforced (assuming that's a desirable thing, in the bigger picture) via hardware, other subversion mechanisms are possible.  Increments, though.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

More information about the dns-operations mailing list