This is a discussion on Re: increasing DNS message entropy, a solution for NATs - DNS ; there are negative replies to two different branches of this thread below. > From: "Roy Arends" > > Joe Abley wrote on 07/21/2008 11:16:07 PM: > > > So, considering there are well-documented examples of TLD, root, and > > ...
there are negative replies to two different branches of this thread below.
> From: "Roy Arends"
> Joe Abley
wrote on 07/21/2008 11:16:07 PM:
> > So, considering there are well-documented examples of TLD, root, and
> > other DNS infrastructure which will, by design, respond with different
> > answers to these two queries, what conclusions should such a resolver
> > draw from the observed incoherence?
> if different, use either, cache neither.
since the verb "use" in this case just means "to cache", since many RDNS
cache and regenerate all data passing through them from ADNS to stub, this
is a meaningless suggestion in response to an absolutely fatal observation.
> From: bert hubert
> How about:
> Which discusses adding some DNS message entropy, by some means, detailed
> > The algorithm might in fact be quite simple:
> > 1) See if a remote nameserver talks extended query id.
> > 2) If it doesn't fall back to TCP and get the bits from there.
> > 3) If that doesn't work, wait for people to fix their firewalls.
this is completely undeployable. tcp is blocked in way too many places, and
the large commercial stub vendors would never implement #3 above, which turns
this into the same basic downgrade vector all versions of XQID or cookies
have ever had.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.