ANN: DNS resolver changes in yakkety

Seth Arnold seth.arnold at canonical.com
Tue May 31 23:35:34 UTC 2016


On Tue, May 31, 2016 at 10:45:24PM +0200, Martin Pitt wrote:
> resolved, which you can probably do in the order of a minute. It does
> not use source port randomization though, which would lift the average
> time to the magnitude of a month.

I'm concerned what this says about the maturity of the project: djbdns
introduced source port randomization back in 1999. PowerDNS has had source
port randomization for a decade now. Everybody else added this feature in
2008 when it got some Big Press:

https://dankaminsky.com/2008/07/24/details/
https://en.wikipedia.org/wiki/Dan_Kaminsky#Flaw_in_DNS
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug
https://www.ietf.org/mail-archive/web/dnsop/current/pdf2jgx6rzxN4.pdf
https://www.iana.org/about/presentations/davies-viareggio-entropyvuln-081002.pdf
http://www.darkreading.com/vulnerabilities-and-threats/dan-kaminsky-reveals-dns-flaw-at-black-hat/d/d-id/1070756
https://kb.isc.org/article/AA-00924/0/CVE-2008-1447%3A-DNS-Cache-Poisoning-Issue-Kaminsky-bug.html

Source port randomization is a basic requirement these days.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20160531/55eb26aa/attachment.pgp>


More information about the ubuntu-devel mailing list