[dns-operations] Why non-repeating transaction IDs?

Simon Waters simonw at zynet.net
Fri Aug 3 08:49:55 UTC 2007


On Friday 03 August 2007 08:59, Florian Weimer wrote:
> I see that people use lots of home-grown algorithms to get random, but
> mostly non-repeating transaction IDs in their resolvers.  I can't find
> the rationale for this; a straightforward PRNG or stream cipher seems
> sufficient for this task.  Any pointers to RFCs or papers are
> appreciated.

PRNG are not random, and thus too predictable. 

The same problem pattern has been done to death for TCP sequence numbers. 
Search for "TCP" "sequence numbers" "vulnerabilities" "strange attractors", 
and such.

This is DJB's sort of territory.

Of course the basic problem with DNS is the space is rather small, so spoofing 
is theoretically possible even if you do use a "good" method of generating 
transaction IDs.


More information about the dns-operations mailing list