[Unbound-users] unbound 1.4.6 released
Florian Weimer
fweimer at bfk.de
Wed Aug 4 14:25:41 UTC 2010
* Peter Koch:
> these two don't compare too well IMHO. First, the only issue in 0x20
> that needed(?) standardization was the advice that the QNAME be copied
> to the response bitwise (no casefolding involved). Whether or not
> that constituted a change people have varying opinions about.
> The hack itself is pretty much client side and it was fully described
> in the I-D (still I'm not too happy to see this defaulted to from an
> operational perspective).
The main problem 0x20 is that it was intended as a cheap way to get
more hard-to-guess bits. However, it turned out that it did not
actually achieve that goal unless you have tons of rather
non-traditional checks in your resolver (AFAIUI, Unbound has them).
This means that 0x20 wasn't that attractive for implementors in the
end.
> That would indeed be interesting, but DNScurve isn't as complete and
> stable as 0x20 possible could be.
Unfortunately, 0x20 tends to expose broken authoritative servers which
would otherwise work just fine (see the list archives).
> I appreciate resolver implementers being conservative about
> implementing moving targets.
Last time I checked, there wasn't really a target because it's
difficult to find the description of the correct cryptographic
algorithms.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Unbound-users
mailing list