[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Shane Kerr
shane at time-travellers.org
Mon Jun 6 02:58:06 UTC 2016
Paul,
At 2016-06-06 02:38:43 +0000
P Vixie <paul at redbarn.org> wrote:
> +1 to this approach.
Which approach? Also supporting DNS cookies, or doing DNS cookies
instead of port randomization?
AIUI cookies requires both server and client support, right? Given the
long adoption tail of DNS, I don't think we can safely run a DNS
server or client on the Internet that doesn't do source port
randomization for decades. :(
(Although maybe one could run a switchable model where you use a client
library that doesn't include port randomization support, but have one
lying around that does in case you find yourself on a network where
this is needed?)
So basically DNS cookies is another feature for coders to implement and
maintain, with more code, a bigger footprint, more bugs, and a larger
attack surface. It's probably worth it, but it's not like you can rip
out the port randomization code.
It is also probably just another reason that people should people who
know and love DNS implement the DNS. :) (Note that I don't mean that
this needs to be existing DNS folks - new blood with a passion for DNS
can do awesome things!)
I wonder if the systemd folks would accept a patch for DNS cookies
support? Does anybody know if they are welcoming of such things? (My
intuition says "probably not" but if you fit in their NIH model maybe
so?)
Cheers,
--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160606/0649826e/attachment.sig>
More information about the dns-operations
mailing list