From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] Unbound: Use caps for IDs Date: Thu, 23 Aug 2018 21:15:44 +0200 Message-ID: <0af7be2f-4c01-4ac1-235f-8797de6822ff@link38.eu> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3175240860690963318==" List-Id: --===============3175240860690963318== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, > This was deliberately not enabled because the documentation contains a > warning about various incompatibilities with various other DNS servers. Yes, there are a lot of broken DNS servers out there... > > Is there some sort of study saying that this can be safely enabled? I know people operating DNS resolvers for > 30k customers with this setting enabled. They never experienced any issue with this so far. This is enabled on my systems too. Currently, I am not aware of a public study. Best regards, Peter Müller > > -Michael > > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: >> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded >> random bits into upstream queries. Upstream documentation claims >> it to be an experimental implementation, it did not cause any trouble >> on productive systems here. >> >> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for >> further details. >> >> Signed-off-by: Peter Müller >> --- >> config/unbound/unbound.conf | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index fa2ca3fd4..8b5d34ee3 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -59,7 +59,7 @@ server: >> harden-below-nxdomain: yes >> harden-referral-path: yes >> harden-algo-downgrade: no >> - use-caps-for-id: no >> + use-caps-for-id: yes >> >> # Harden against DNS cache poisoning >> unwanted-reply-threshold: 5000000 > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============3175240860690963318== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE SnlyUkxrMlVqeUQzMTduMmdGQWx0L0IrQUFDZ2tRMlVqeUQzMTcKbjJpd0dBLzlFR0hML3E4VFJs bng0ek9qNU9Rb1MwS3M1WU43T1pVYXN5Q3Q5MlE3YXg3NnplRXBlandqT1pmWgpuM2R2bTVZMmNY cFZFS29zRHAxZUtFd3JPbDF6Z0kvZzBxbHg2MjFWc0xJV1FlWFVFUlRGb3JFdGExQjZaS2JECjZn ZlJta0tiUURkb3cvb2NVQWJjcWxNVE5SdnQ3T2hQUnp5UXAxQnRwUGxtdm4yQS9FekdzK0Z4dlR1 SVFnemYKbm5HUVFqeUFWb0tVSk1lZ21DKzd3YXlpNGs5cmtHVlI0MFRwVzJOTHBOaUJJSFJiOEkw dVRqU2xWME55ZnQwRApLSVlJbTdiN1ZvSjVkNW1pQThBV3czai8yQy94ODVsRUhYbVNrTVVQZUla SzdxblZZeUlXOHpuSHkxMUowckc3CmxUVkU1aW5EWDRnVDVRMCtHZnJEa1Bnd1N6bDdUeW4vdzR3 QkNQNGtpNkJLTDFBSi9iTEdUR1JBUGpFOEVHdTcKMjl3ZUc0YllDN1FBa3RDdGNVRXRKQmgweVhj MFRKbjJHRUVOSTVHNEdxK1NYdTZOMm42d1Nqd1d6U1JOMU90Vgo0SjQxTUhxNkd4Z2xaOWhnZkJD RmVoOFB5N1JUYUgvaGR0M2Q2NUJTeGdsYlVRa2pPQnYrZGJCb0ROM2V4REwzCkRHTmlOemJLQS94 WjlDMlZUeVRob3paMUd5ZjdUZXgyNFZxcmdLVGtFeUVIWkZCamQ3c216V05IYXBpbXRSZFkKNjI2 a012MDlyRnorUTZKcmpUYmRKSklOSXFvYnFSNVFob1pxZFpyWDFMWnVDVjRDS0JMbWU1bVFUMVp1 UWxnTQpBZDY0aU9PY1IxMDhINkVUaVV4d1BqUVp1WDR0WC9GdWFKa3JZWUZwUTFGdzNMOHgxZjg9 Cj1vaVlUCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3175240860690963318==--