[dns-operations] Storm on the DNS

Mark Andrews marka at isc.org
Wed Dec 9 01:42:20 UTC 2015

In message <724812756.gRhp279Gg0 at linux-85bq.suse>, Paul Vixie writes:
> On Wednesday, December 09, 2015 09:19:22 AM Mark Andrews wrote:
> > We should be leveraging the existing work like bcp38.info.
> > 
> > CPE border routers should be filtering non locally sourced packets
> > so that compromised internal machines don't get to spew traffic
> > onto the Internet.
> well, sure. but there's a very long tail on those devices, and many of
> those now deployed will only translate 192.168.1.* source addresses,
> forwarding the rest unchanged. these are embedded devices, replaced
> only when they fail, and upgraded never.

Which is all the more to specify minimum acceptable practices.

> > We should be pushing for legislation that requires vendors to publish
> > known flaws that allow a system to be taken over and also require
> > vendors to publish free fixes for those compromises for at least
> > 10 years from last customer shipment.
> as tpp becomes law, you'll see exactly the opposite approach implemented.

That may be, but we can try.

> > This ship and forget mentality
> > has to be stopped.  Reasonable time frames also need to be specified.
> > There also has to be a free way to report a flaw.
> also, we need a pony.

And you get neither unless you ask.
> -- 
> P Vixie
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list