Re: draft-ietf-dnsext-forgery-resilience-01.txt

[Paul Vixie <paul@vix.com>]

> > * a reference (normative?) to RFC 4086 would be a very good idea, with
> > a link from section 9 "Implementations SHOULD use good random source
> > to select a Query ID"
> 
> There is no industry consensus that this is a good idea.

agreed.  there's no consensus that even a ~31 bit pseudo random combination
of source port and query ID is good enough to have confidence that any given
answer was really received from a purported server.

there is also no consensus on the meaning of "good" in the context of "good
random source".  some say arc4random is fine, others say it's too weak.

you could say something like "Implementations SHOULD NOT use query-ID schemes
for which a proof of concept has demonstrated trivial predictability and easy
cache pollution.  NOTE WELL that the definition of 'trivial' changes every
year, and that nothing short of Secure DNS can provide confidence in answers."



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>