From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] Unbound: Use caps for IDs Date: Thu, 23 Aug 2018 14:40:42 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2166889699163466720==" List-Id: --===============2166889699163466720== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit This was deliberately not enabled because the documentation contains a warning about various incompatibilities with various other DNS servers. Is there some sort of study saying that this can be safely enabled? -Michael On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: > Attempt to detect DNS spoofing attacks by inserting 0x20-encoded > random bits into upstream queries. Upstream documentation claims > it to be an experimental implementation, it did not cause any trouble > on productive systems here. > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > further details. > > Signed-off-by: Peter Müller > --- > config/unbound/unbound.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index fa2ca3fd4..8b5d34ee3 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -59,7 +59,7 @@ server: > harden-below-nxdomain: yes > harden-referral-path: yes > harden-algo-downgrade: no > - use-caps-for-id: no > + use-caps-for-id: yes > > # Harden against DNS cache poisoning > unwanted-reply-threshold: 5000000 --===============2166889699163466720==--