> 1. "poison a single address record" attack. > > This is when an attacker tries to match the qid/port of a request. This is > clearly is not an issue with unbound, which is well designed in > terms of randomness, and has first-rate test results; e.g. > > <https://www.dns-oarc.net/oarc/services/porttest> ) Argh, not again... Kaminsky-style attack is not about port randomization. Read his papers from doxpara.com... It's just much more easier to poison cache if you don't do random ports. > Suggestion: That unbound incorporate additional logic to defend against a > "poisoned authority record" attack - logic in addition to its superior > port/qid randomization? > > This additional logic is: that an exact match, not merely an "in-bailiwick" > match be required before unbound would accept glue/RR record additions or > updates. > > It seems to me that little harm would result if unbound were instructed > to accept glue/RR records only from *exact* matches, and not from *inexact*, > but in-bailiwick authority records. "seems to" and "little harm" are really dangerous words in context of DNS. There are lot of servers in the wild which doesn't do the right thing, there is a lot of inconsistencies in DNS data and that "little harm" you are speaking about could cause severe damage. But I think this is not right place to discuss that. This issue is spreads across platforms and servers and the right place (or just better place) to discuss this is namedroppers list (mailling list of dnsext working group @ ietf). And you should probably start by reading archives before making suggestions, so you are not rehashing issues already discussed. Ondrej. -- Ondřej Surý <ondrej at sury.org>