[Unbound-users] Increase RRset poisoning resistance
wouter at NLnetLabs.nl
Tue Aug 12 07:11:05 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
|> Read his papers from doxpara.com... It's just much more easier to
|> cache if you don't do random ports.
| Argh yes ...... The basic system design weakness remains.
|>> Suggestion: That unbound incorporate additional logic to defend
|>> against a
|>> "poisoned authority record" attack - logic in addition to its superior
|>> port/qid randomization?
| Well......yes, it ....... could .....
| But we really don't know, do we! This second type of attack is much more
| threatening than the first, and no one else has any answers. FWICT
| DNSSEC won't defend against it.
| You're very likely right - it is not perfect. But it may prove to be
| very good in many applications.
| Unbound is under active development at a time of "danger"; this is a
| perfect opportunity to test some radical approaches that may work well
| 99% of the time.
| Put the option in with a default setting to "off"; not activated. Put a
| little note next to it that this option is for beta testing.
| This would allow folks to test it. It may work quite well in many
| situations; not so well in others. A log entry could record when an
| in-bailiwick RR record was rejected.
I am working on working, non-disruptive filtering mechanisms. Just like
the ones released in 1.0.2.
Thanks for the suggestion. Such options, like caps-for-id (0x20), are
good to have.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Unbound-users