-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 7v5w7go9ub0o wrote: |> Read his papers from doxpara.com... It's just much more easier to |> poison |> cache if you don't do random ports. | | Argh yes ...... The basic system design weakness remains. Yes. |>> Suggestion: That unbound incorporate additional logic to defend |>> against a |>> "poisoned authority record" attack - logic in addition to its superior |>> port/qid randomization? | Well......yes, it ....... could ..... | | But we really don't know, do we! This second type of attack is much more | threatening than the first, and no one else has any answers. FWICT | DNSSEC won't defend against it. | | You're very likely right - it is not perfect. But it may prove to be | very good in many applications. | | Unbound is under active development at a time of "danger"; this is a | perfect opportunity to test some radical approaches that may work well | 99% of the time. | | Put the option in with a default setting to "off"; not activated. Put a | little note next to it that this option is for beta testing. | | This would allow folks to test it. It may work quite well in many | situations; not so well in others. A log entry could record when an | in-bailiwick RR record was rejected. I am working on working, non-disruptive filtering mechanisms. Just like the ones released in 1.0.2. Thanks for the suggestion. Such options, like caps-for-id (0x20), are good to have. Best regards, ~ Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkihN4kACgkQkDLqNwOhpPjv/wCfcEAeGOMNJOt21gn1MqcyIk9h ycwAoKr2DqbHBUc4ZdbhWNwbLOqvh/1i =GcZ4 -----END PGP SIGNATURE-----