[dns-operations] Why non-repeating transaction IDs?

Paul Vixie paul at vix.com
Fri Aug 3 17:11:30 UTC 2007


> So you randomize source ports too, adding nearly 16 bits to the 16 bits of
> random already available. 31.97 bits of random is nothing to sneeze at if
> you have a 100ms timeframe to scan it.

i first heard this idea from dan bernstein, and it's a good one.  in my own
hacking (not part of BIND, at least not yet) i've been keeping up to 16
outbound UDP sockets open with kernel-assigned port numbers, and closing each
when the number of transactions still using that socket goes to zero.  this
gives me 16 distinct 16-bit ranges, which is almost like a 20-bit query ID
but i'm sure that the upper 4 bits of that "extended query ID" are quite
predictable.  their purpose is to protect the predictability of the bottom
16 bits, rather than to be unpredictable in their own right.  should BIND be
doing something like this?  (should there be an I-D on it, and does anyone
think that dan bernstein would be willing to co-author it since this was
really his idea?)



More information about the dns-operations mailing list