Maintained by: NLnet Labs

[Unbound-users] Increase RRset poisoning resistance

Wouter Wijngaards
Tue Aug 12 09:11:05 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7v5w7go9ub0o wrote:
|> Read his papers from doxpara.com...   It's just much more easier to
|> poison
|> cache if you don't do random ports.
|
| Argh yes ...... The basic system design weakness remains.

Yes.

|>> Suggestion: That unbound incorporate additional logic to defend
|>> against a
|>> "poisoned authority record" attack - logic in addition to its superior
|>> port/qid randomization?

| Well......yes, it ....... could .....
|
| But we really don't know, do we! This second type of attack is much more
| threatening than the first, and no one else has any answers. FWICT
| DNSSEC won't defend against it.
|
| You're very likely right - it is not perfect. But it may prove to be
| very good in many applications.
|
| Unbound is under active development at a time of "danger";  this is a
| perfect opportunity to test some radical approaches that may work well
| 99% of the time.
|
| Put the option in with a default setting to "off"; not activated. Put a
| little note next to it that this option is for beta testing.
|
| This would allow folks to test it. It may work quite well in many
| situations; not so well in others. A log entry could record when an
| in-bailiwick RR record was rejected.

I am working on working, non-disruptive filtering mechanisms. Just like
the ones released in 1.0.2.

Thanks for the suggestion. Such options, like caps-for-id (0x20), are
good to have.

Best regards,
~   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkihN4kACgkQkDLqNwOhpPjv/wCfcEAeGOMNJOt21gn1MqcyIk9h
ycwAoKr2DqbHBUc4ZdbhWNwbLOqvh/1i
=GcZ4
-----END PGP SIGNATURE-----