This is a discussion on Re: XQID (Re: Forgery Resistance phase #2 ) - DNS ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Vixie wrote: >> I think my XQID suggestion ( http://www.jhsoft.com/dns-xqid.htm ), which by >> the way seems like a even better idea in light of the Kaminsky bug, is >> somewhere in your ...
-----BEGIN PGP SIGNED MESSAGE-----
Paul Vixie wrote:
>> I think my XQID suggestion (http://www.jhsoft.com/dns-xqid.htm), which by
>> the way seems like a even better idea in light of the Kaminsky bug, is
>> somewhere in your list already.
> if we can amend the edns spec to require that for the XQID option, a reply
> without XQID will cause the transaction to be repeated several times across
> all of the zone's nameservers, with a different random UDP port and 16-bit
> QID each time, then i will support the XQID proposal. (this logic for
> repeat-on-suspicion is more or less what we're recommending in 0x20, and
> it's possible that if there are enough 0x20 bits available, then an XQID
> could be made optional for that transaction.)
correct me if i'm wrong, but i think you might be confusing two
proposals here. XQID and the EDNS PING proposal. XQID appends entropy to
the actual query name, and shouldn't be downgradeable by leaving out
something (because then the answer wouldn't be the same as the query).
Using EDNS PING is 'cleaner' (it doesn't muck with the query), but would
need something like you ask for here.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.