[Unbound-users] unbound 1.4.6 released

Florian Weimer fweimer at bfk.de
Wed Aug 4 14:25:41 UTC 2010


* Peter Koch:

> these two don't compare too well IMHO.  First, the only issue in 0x20
> that needed(?) standardization was the advice that the QNAME be copied
> to the response bitwise (no casefolding involved). Whether or not
> that constituted a change people have varying opinions about.
> The hack itself is pretty much client side and it was fully described
> in the I-D (still I'm not too happy to see this defaulted to from an
> operational perspective).

The main problem 0x20 is that it was intended as a cheap way to get
more hard-to-guess bits.  However, it turned out that it did not
actually achieve that goal unless you have tons of rather
non-traditional checks in your resolver (AFAIUI, Unbound has them).
This means that 0x20 wasn't that attractive for implementors in the
end.

> That would indeed be interesting, but DNScurve isn't as complete and
> stable as 0x20 possible could be.

Unfortunately, 0x20 tends to expose broken authoritative servers which
would otherwise work just fine (see the list archives).

> I appreciate resolver implementers being conservative about
> implementing moving targets.

Last time I checked, there wasn't really a target because it's
difficult to find the description of the correct cryptographic
algorithms.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99




More information about the Unbound-users mailing list