Hello, > This was deliberately not enabled because the documentation contains a > warning about various incompatibilities with various other DNS servers. Yes, there are a lot of broken DNS servers out there... > > Is there some sort of study saying that this can be safely enabled? I know people operating DNS resolvers for > 30k customers with this setting enabled. They never experienced any issue with this so far. This is enabled on my systems too. Currently, I am not aware of a public study. Best regards, Peter Müller > > -Michael > > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: >> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded >> random bits into upstream queries. Upstream documentation claims >> it to be an experimental implementation, it did not cause any trouble >> on productive systems here. >> >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> further details. >> >> Signed-off-by: Peter Müller >> --- >> config/unbound/unbound.conf | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index fa2ca3fd4..8b5d34ee3 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -59,7 +59,7 @@ server: >> harden-below-nxdomain: yes >> harden-referral-path: yes >> harden-algo-downgrade: no >> - use-caps-for-id: no >> + use-caps-for-id: yes >> >> # Harden against DNS cache poisoning >> unwanted-reply-threshold: 5000000 > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq