[dns-operations] Storm on the DNS
Mark Andrews
marka at isc.org
Wed Dec 9 01:42:20 UTC 2015
In message <724812756.gRhp279Gg0 at linux-85bq.suse>, Paul Vixie writes:
> On Wednesday, December 09, 2015 09:19:22 AM Mark Andrews wrote:
> > We should be leveraging the existing work like bcp38.info.
> >
> > CPE border routers should be filtering non locally sourced packets
> > so that compromised internal machines don't get to spew traffic
> > onto the Internet.
>
> well, sure. but there's a very long tail on those devices, and many of
> those now deployed will only translate 192.168.1.* source addresses,
> forwarding the rest unchanged. these are embedded devices, replaced
> only when they fail, and upgraded never.
Which is all the more to specify minimum acceptable practices.
> > We should be pushing for legislation that requires vendors to publish
> > known flaws that allow a system to be taken over and also require
> > vendors to publish free fixes for those compromises for at least
> > 10 years from last customer shipment.
>
> as tpp becomes law, you'll see exactly the opposite approach implemented.
That may be, but we can try.
> > This ship and forget mentality
> > has to be stopped. Reasonable time frames also need to be specified.
> > There also has to be a free way to report a flaw.
>
> also, we need a pony.
And you get neither unless you ask.
> --
> P Vixie
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list