[dns-operations] Storm on the DNS
Paul Vixie
paul at redbarn.org
Wed Dec 9 00:49:40 UTC 2015
On Wednesday, December 09, 2015 09:19:22 AM Mark Andrews wrote:
> We should be leveraging the existing work like bcp38.info.
>
> CPE border routers should be filtering non locally sourced packets
> so that compromised internal machines don't get to spew traffic
> onto the Internet.
well, sure. but there's a very long tail on those devices, and many of those now deployed will
only translate 192.168.1.* source addresses, forwarding the rest unchanged. these are
embedded devices, replaced only when they fail, and upgraded never.
> We should be pushing for legislation that requires vendors to publish
> known flaws that allow a system to be taken over and also require
> vendors to publish free fixes for those compromises for at least
> 10 years from last customer shipment.
as tpp becomes law, you'll see exactly the opposite approach implemented.
> This ship and forget mentality
> has to be stopped. Reasonable time frames also need to be specified.
> There also has to be a free way to report a flaw.
also, we need a pony.
--
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151208/b95c4bb5/attachment.html>
More information about the dns-operations
mailing list