Re: Autonomous System Sanity Protocol

Valdis.Kletnieks@vt.edu Sun, 27 April 1997 06:07 UTC

Received: from cnri by ietf.org id aa13227; 27 Apr 97 2:07 EDT
Received: from murtoa.cs.mu.OZ.AU by CNRI.Reston.VA.US id aa02763; 27 Apr 97 2:07 EDT
Received: from mailing-list by murtoa.cs.mu.OZ.AU (8.6.9/1.0) id PAA10621; Sun, 27 Apr 1997 15:57:13 +1000
Received: from munnari.OZ.AU by murtoa.cs.mu.OZ.AU (8.6.9/1.0) with SMTP id PAA10586; Sun, 27 Apr 1997 15:51:09 +1000
Received: from black-ice.cc.vt.edu by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id FA22490; Sun, 27 Apr 1997 15:51:07 +1000 (from valdis@black-ice.cc.vt.edu)
Received: from black-ice.cc.vt.edu (valdis@LOCALHOST [127.0.0.1]) by black-ice.cc.vt.edu (8.8.5/8.8.5) with ESMTP id BAA31818; Sun, 27 Apr 1997 01:51:00 -0400
Message-Id: <199704270551.BAA31818@black-ice.cc.vt.edu>
To: Bill Manning <bmanning@isi.edu>
Cc: Tony Li <tli@jnx.com>, RADIA_PERLMAN@novell.com, big-internet@munnari.oz.au
Subject: Re: Autonomous System Sanity Protocol
In-Reply-To: Your message of "Sat, 26 Apr 1997 20:05:44 PDT." <199704270305.AA01853@zephyr.isi.edu>
From: Valdis.Kletnieks@vt.edu
X-Url: http://black-ice.cc.vt.edu/~valdis/
References: <199704270305.AA01853@zephyr.isi.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-773495472P"; micalg=pgp-md5; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Sun, 27 Apr 1997 01:50:56 -0400
Precedence: bulk

On Sat, 26 Apr 1997 20:05:44 PDT, Bill Manning said:
> Humm, perhaps a first, rough cut might be turning on DNS Security for the
> inverse delegations all the way down.  That way you could get a "chain of
> custody" for the authoritative delegations.  You could also discriminate
> proxy aggregations... :)

Hmm.. but  first, we have  to  actually get  inverse delegations  that
work.

Hell. In the past 5 days  on our Listserv hub,  I've seen no less than
661 *different* 'Lame  server'  messages from BIND for  the  *forward*
lookup.

On the other hand, Bill  may be onto  something  here.. if we  require
that the  people get their  acts together  enough  so their nameserver
forward and  inverse tables are correct, and  get crypto keys  set up,
that would probably  nuke out all  the marginal domains  that have too
low a cluon flux  density.  It  wouldn't stop  a determined  and clued
attacker, but at least we'd probably turn off most possible origins of
"network meltdown  from    'ISP  Administration for   Dummies'"   type
attacks....


-- 
				Valdis Kletnieks
				Computer Systems Engineer
				Virginia Tech