Please consider another newbie posting and question. Referring to this article (Matasano): <http://beezari.livejournal.com/141796.html> and this article (Friedl): <http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#poisoning> there seems to be two attacks of current (Kaminsky) interest: 1. "poison a single address record" attack. This is when an attacker tries to match the qid/port of a request. This is clearly is not an issue with unbound, which is well designed in terms of randomness, and has first-rate test results; e.g. <https://www.dns-oarc.net/oarc/services/porttest> ) 2. "hijack the authority records" (RRset poisoning). This where the server is sent to a bogus authority NS that is in-bailiwick with the target. The last five paragraphs of the Matasano paper (from "5" to the end) describe how an in-bailiwick poisoning could occur; the last few paragraphs of the Friedl paper perhaps describe it more elegantly. If I understand correctly, this second attack is much more likely to succeed because it is continuous - a series of requested in-bailiwick addresses can be sequentially increased and re-requested, resulting in continuous queries by the recursive server. Suggestion: That unbound incorporate additional logic to defend against a "poisoned authority record" attack - logic in addition to its superior port/qid randomization? This additional logic is: that an exact match, not merely an "in-bailiwick" match be required before unbound would accept glue/RR record additions or updates. It seems to me that little harm would result if unbound were instructed to accept glue/RR records only from *exact* matches, and not from *inexact*, but in-bailiwick authority records. Thanks for considering this.