Maintained by: NLnet Labs

2012 OARC Name Server Selection of DNS Caching Resolvers

Daisuke HIGASHI
Fri Sep 25 17:13:39 CEST 2015


Hi Richard,

AFAIK there were no big changes in Unbound's NS selection algorithm for
years.

In Aug 2013 researchers pointed out the flaw in _BIND9's_ nameserver
selection algorithm that attackers could subvert randomization of NS
selection [1].
ISC stated that it is not considered a security vulnerability but they also
stated that
the algorithm will be improved [2]. I don't know further status of BIND9's
implementation.

[1]
https://www.usenix.org/conference/woot13/workshop-program/presentation/hay
[2]
https://kb.isc.org/article/AA-01030/169/Operational-Notification-A-Vulnerability-in-the-SRTT-Algorithm-affects-BIND-9-Authoritative-Server-Selection.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150926/22233838/attachment.html>