[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
paul at redbarn.org
Mon Jun 6 02:38:43 UTC 2016
+1 to this approach.
On June 5, 2016 6:51:03 PM PDT, Mark Andrews <marka at isc.org> wrote:
>In message <20160606092634.32fddbf7 at pallas.home.time-travellers.org>,
>Shane Kerr writes:
>> At 2016-06-05 14:29:20 -0400
>> Paul Wouters <paul at nohats.ca> wrote:
>> > On Fri, 3 Jun 2016, Phil Regnauld wrote:
>> > >> ... apparently it doesn't do source port randomization. Ouch.
>> > >>
>> > >> That's a real step backwards if that's the case.
>> > >
>> > > Ok, this was implemented in systemd 220:
>> > >
>> > > https://github.com/systemd/systemd/blob/master/NEWS
>> > >
>> > > * systemd-resolved now implements RFC5452 to improve resilience
>> > > cache poisoning. Additionally, source port randomization is
>> > > by default to further protect against DNS spoofing attacks.
>> > systemd-resolved requires a forwarder. It is not a full DNS
>> > server. So source port randomization is pretty useless as you are
>> > likely just doing DNS on the local network.
>> Minor point: According to Geoff Huston something like 10% of the
>> of the world use 188.8.131.52 as their resolver, at least as of a couple
>> years ago:
>> So the idea that stub resolvers talk to DNS on the local network is
>> true in hundreds of millions of cases. Adding source port
>> will help the (admittedly crappy) protection against out-of-path
>> spoofing for these users.
>Adding DNS COOKIE support (RFC 7873) will do a even better job and
>help with other issues. With working DNS COOKIE support you don't
>need to do port randomisation.
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations