Maintained by: NLnet Labs

[Unbound-users] Increase RRset poisoning resistance

Wouter Wijngaards
Tue Aug 12 09:11:05 CEST 2008

Hash: SHA1

7v5w7go9ub0o wrote:
|> Read his papers from   It's just much more easier to
|> poison
|> cache if you don't do random ports.
| Argh yes ...... The basic system design weakness remains.


|>> Suggestion: That unbound incorporate additional logic to defend
|>> against a
|>> "poisoned authority record" attack - logic in addition to its superior
|>> port/qid randomization?

| Well......yes, it ....... could .....
| But we really don't know, do we! This second type of attack is much more
| threatening than the first, and no one else has any answers. FWICT
| DNSSEC won't defend against it.
| You're very likely right - it is not perfect. But it may prove to be
| very good in many applications.
| Unbound is under active development at a time of "danger";  this is a
| perfect opportunity to test some radical approaches that may work well
| 99% of the time.
| Put the option in with a default setting to "off"; not activated. Put a
| little note next to it that this option is for beta testing.
| This would allow folks to test it. It may work quite well in many
| situations; not so well in others. A log entry could record when an
| in-bailiwick RR record was rejected.

I am working on working, non-disruptive filtering mechanisms. Just like
the ones released in 1.0.2.

Thanks for the suggestion. Such options, like caps-for-id (0x20), are
good to have.

Best regards,
~   Wouter

Version: GnuPG v1.4.9 (GNU/Linux)