[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-forgery-resilience-01.txt

To: Florian Weimer <fw@deneb.enyo.de>
Subject: Re: draft-ietf-dnsext-forgery-resilience-01.txt
From: Shane Kerr <Shane_Kerr@isc.org>
Date: Mon, 12 Nov 2007 18:15:07 +0100
Cc: namedroppers@ops.ietf.org
In-reply-to: <87k5ona0ag.fsf@mid.deneb.enyo.de>
Organization: ISC
References: <20071110214233.GB8260@laperouse.bortzmeyer.org> <87sl3biytx.fsf@mid.deneb.enyo.de> <20071112100506.GA15120@laperouse.bortzmeyer.org> <87y7d3hi37.fsf@mid.deneb.enyo.de> <Pine.LNX.4.64.0711121625530.24448@hermes-1.csi.cam.ac.uk> <87k5ona0ag.fsf@mid.deneb.enyo.de>
Reply-to: shane_kerr@isc.org
User-agent: Thunderbird 2.0.0.6 (X11/20070806)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
> * Tony Finch:
> 
>> On Mon, 12 Nov 2007, Florian Weimer wrote:
>>> * Stephane Bortzmeyer:
>>>> What is not a good idea? "Implementations SHOULD use good random
>>>> source to select a Query ID" or "The draft should add a reference to
>>>> RFC 4086"?
>>> The former.  It has been argued that non-repeating query IDs are more
>>> important than good randomness.  I tried very hard to understand this,
>>> but I still don't get it.
>> You can't just naively pick a query ID at random from the whole 16 bit
>> space because you'll have ID clashes.
> 
> Why are ID clashes a problem?  Do real-world authoritative servers
> misbehave when confronted with them?

Well, it's a resolver that picks the query ID, but this is a good question.

The only time you have an actual clash is when you have a duplicate ID+source
IP+source port+destination IP+destination port for a UDP query, because then the
resolver has no way to disambiguate the replies it gets.

Certainly some implementations may have problems with duplicate query IDs, but
that's out of scope for an RFC, IMHO.

- --
Shane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHOIoXMsfZxBO4kbQRAq+jAJ4y4C3h9Yxjhftdtv7dlUDNypTtmACeI2qw
NZxccHl/WUSWJ/tnS0dfaJE=
=K5Hn
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Andrew Sullivan <andrew@ca.afilias.info>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Tony Finch <dot@dotat.at>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Tony Finch <dot@dotat.at>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Previous by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Index(es):
- Date
- Thread