Re: draft-ietf-dnsext-forgery-resilience-01.txt

[Alex Bligh <alex@alex.org.uk>]

--On 12 November 2007 16:28:08 +0000 Tony Finch <dot@dotat.at> wrote:

> You can't just naively pick a query ID at random from the whole 16 bit
> space because you'll have ID clashes. You need a scheme that does not
> re-use recent IDs too quickly, but this does not mean that you don't
> need good randomness.

I think not. Picking ID's in ascending numerical order (skipping clashes)
would satisfy that, but obviously be less useful than a random scheme
(which also skipped clashes). I am assuming here that there is some
set of IDs for which are dangerous.

I think the problem here is people are trying to describe the mechanism
for allocating ID's etc. rather than what it is desirable to achieve. EG:
 "ID's SHOULD be assigned in a manner that the ability of a third party
  with access wire data to guess ID's on subsequent queries is minimised;
  this could, for instance, be achieved by introducing a pseudo-random
  component into the mechanism used to select the ID".

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>