[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dns-0x20.txt
* David Dagon:
> The question "When is there enough entropy to be safe?" always has a
> subjective answer, and I think we'd all like something much larger
> than 2^{40ish}. Exponential growth is punishing above a threshold and
> DNS-0x20, while not the cure, does get one closer.
One interesting thing about those 0x20 bits is that you don't have to
worry about uniqueness, so you can use a real PRNG to generate them,
instead of the likely-vulnerable LCG cruft that is found in most
resolvers.
> Re: the lack of harm: I'm not aware of any applications monitoring
> recursive-to-authority traffic that would be negatively affected by
> 0x20 flipping.
I imagine that there are in-line devices that perform case
normalization because the 0x20 bits can be seen as a covert channel.
I hope to do some tests next week (or probably the week after that, to
avoid influencing otther measurements) to see if such devices are in
front of any authoritative servers.
--
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>