-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Sean Donelan <sean@donelan.com> wrote:

On Wed, 9 Jul 2008, Steven M. Bellovin wrote:

...

How many ISPs run DNS servers for customers? Start by signing those zones -- that has to be done in any event. Set up caching resolvers to verify signatures. "It is not your part to finish the task, yet you are not free to desist from it." (From the Talmud, circa 130.)

No, I didn't say it would be easy, but if we don't start we're not going to get anywhere.

Are these the same ISPs that haven't started implementing other anti-spoofing controls like BCP38++?

What is the estimated completion date to stop all spoofed IP packets, included but only DNS spoofing?

The second Tuesday of next week? ;-) - - ferg (BCP38 Protagonist) -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIdP19q1pz9mNUZTMRAjhrAKC1a0S5jPNyp3BMg932hghE8xG/xwCgzNgl wdnoEpm0aNTbg+2KHU0w94I= =Uyns -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/