[dns-operations] Storm on the DNS

Paul Vixie paul at redbarn.org
Wed Dec 9 00:49:40 UTC 2015

On Wednesday, December 09, 2015 09:19:22 AM Mark Andrews wrote:
> We should be leveraging the existing work like bcp38.info.
> CPE border routers should be filtering non locally sourced packets
> so that compromised internal machines don't get to spew traffic
> onto the Internet.

well, sure. but there's a very long tail on those devices, and many of those now deployed will 
only translate 192.168.1.* source addresses, forwarding the rest unchanged. these are 
embedded devices, replaced only when they fail, and upgraded never.

> We should be pushing for legislation that requires vendors to publish
> known flaws that allow a system to be taken over and also require
> vendors to publish free fixes for those compromises for at least
> 10 years from last customer shipment.

as tpp becomes law, you'll see exactly the opposite approach implemented.

> This ship and forget mentality
> has to be stopped.  Reasonable time frames also need to be specified.
> There also has to be a free way to report a flaw.

also, we need a pony.

P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151208/b95c4bb5/attachment.html>

More information about the dns-operations mailing list