This is a discussion on there is a leak: message entropy increase urgent - DNS ; Dan Kaminksy's issue accidentally leaked? http://blog.invisibledenizen.org/200...ly-leaked.html Plus : On Tue, Jul 22, 2008 at 03:35:06AM +0000, Paul Vixie wrote: > > > The algorithm might in fact be quite simple: > > > 1) See if a remote nameserver talks ...
Dan Kaminksy's issue accidentally leaked?
On Tue, Jul 22, 2008 at 03:35:06AM +0000, Paul Vixie wrote:
> > > The algorithm might in fact be quite simple:
> > > 1) See if a remote nameserver talks extended query id.
> > > 2) If it doesn't fall back to TCP and get the bits from there.
> > > 3) If that doesn't work, wait for people to fix their firewalls.
> this is completely undeployable. tcp is blocked in way too many places, and
> the large commercial stub vendors would never implement #3 above, which turns
> this into the same basic downgrade vector all versions of XQID or cookies
> have ever had.
At least this shows us a path that gives immediate benefit to those who
play, especially the "opportunistic keep-state EDNS PING" where resolvers
cache who has done EDNS PING in te past, and know they should not be
downgraded (for now).
"[it] might be doable to slowly turn this on. First try the ping and use it
if available, and keep state ("this IP address pings back to us, don't
believe any answers where it doesn't"), but don't fall back to TCP.
A year from now we turn on fall back to TCP if you don't EDNS-ping back.
People who are afraid they will be overwhelmed by TCP queries make sure
they have EDNS-pingback ability. "
EDNS PING moved to EDNS option 5 today. I'll wrap up some informal specs and
see who plays.
There is an immediate benefit for everybody who joins.
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.