From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH v4 2/3] Unbound: Use caps for IDs
Date: Mon, 10 Sep 2018 16:21:25 +0200
Message-ID: <20180910142126.5265-2-peter.mueller@link38.eu>
In-Reply-To: <20180910142126.5265-1-peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1622750635365560269=="
List-Id: <development.lists.ipfire.org>

--===============1622750635365560269==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/unbound/unbound.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index ce9ddcd62..6eaf70a8e 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -59,7 +59,7 @@ server:
 	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
-	use-caps-for-id: no
+	use-caps-for-id: yes
 
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 1000000
-- 
2.16.4


--===============1622750635365560269==--