From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/3] Unbound: Enable DNS cache poisoning mitigation
Date: Sun, 26 Aug 2018 20:35:22 +0200
Message-ID: <e2f8c119-6e7b-00a8-9847-414615f9e94c@link38.eu>
In-Reply-To: <b43ed5ce9676371ebaf2ccb8aefed49d7583e455.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8489447278854670168=="
List-Id: <development.lists.ipfire.org>

--===============8489447278854670168==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello Michael,

could you merge the series with the second version of this patch
then?

Thanks, and best regards,
Peter Müller 

> 1M sounds good.
> 
> This should never become a problem for zones that use DNSSEC.
> 
> On Thu, 2018-08-23 at 21:22 +0200, Peter Müller wrote:
>> Well, some people consider 10k a good value for this:
>> https://calomel.org/unbound_dns.html
> 
>> Not sure if this is actually too low. During some attacks, 5M
>> was satisfying here, but I did not dig into thresholds deeper.
>> Simulated attacks did not show a unique behaviour, and their
>> real value is questionable in my point of view.
> 
>> What do you propose for the value? 1M or 100k?
> 
>> Best regards,
>> Peter Müller
> [snip]
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq


--===============8489447278854670168==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWx1Qzh1b0FDZ2tRMlVqeUQzMTcKbjJoMENSQUFsZjNYTmJEVEQ2
c01PUFpaOXRMUTByaXpERzlRclpHZ0NLeHhnbXUzcWtLS1h0QW5pU3pYZit2eQovQXNML05QYU1B
TDRDYjRxeTFndW9YK3ZIZDlUbmhsdmVTQkNkY0JNMHEwTjJ0T09UZ2VLUk0xVndHRDdhbjNjCjhH
UXU0MGIvbmRWeXZLMy9hdXpwQWRpbSs3bjZuR2FuV014UTRqdUFZZW8wRldqc3FpZmZZS1NFeUVv
MFJWWDkKSlVvMjl1MlVERG42d1J6ei9VM3VwR0JzZDgyb29EazM1TGdaN3IrOGU0aG9zcmFrZXEw
eHF3L3NvbkNhOWg3MwpGMExBNGU2UktubEduYzVRRjNUamZyL1dSWW9aTElxNHZnY3JRUmdjbldm
NHB0Q0Y1RHF6SW85T0ZFbDBEWmI3Cm1RNnJjUjAyNm9RWmFhWlZPYjB2Q0xQREp4OG9zVHQ2b05Y
eUdPbzRUTTZ2dmJxVzVRY2lDQWhWZmhMS1NGOWoKNG9nR2hiRGZZWEdmZCsxSDlSckFpUUNHOVFj
ZUdMRXhlUEg0dmprTFZyUEZKL1dtVys0M1VneTd5VHlxQ2w4RAphNGNNLy9aK2ViVnFVL1ZyZUl0
bHBlWEhNZFJxQmhWdGl6ZUlqMUFTaFBBRUVZSFZ0d29QYUhyTmFtY3RHb2k2CncybllCQ01aOXFY
cWhUMzdBZUtnWWdUZVVSL2hxYzNFeld4RGdMY3hnU1JrY2tkYTJ4Q3RWTHIybmttUnluSnQKZnN1
eGlLWG9lTytCeUhIOFc3Z0xndnpvcGNrc1ZtM0ZJcGZqTitRdm53OXN6bVR4eXBrSDBHR3JrUVcw
RlA2agplc3NRbEUydE9jd1NjdDNjWFV2M0FDNDAwb1RhQ0Q4M1RFQ2tRSFprbUhYNUYwNVhzcTg9
Cj10cUFICi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============8489447278854670168==--