https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6221
--- Comment #8 from Simon Arlott <[email protected]> 2010-01-27 04:51:01 UTC --- (In reply to comment #4) > I didn't notice or pay attention to this bug when it was opened three or four > months ago and just looked it over now. > > I think bug #4260 comment #49 contains the reason not to let the OS pick a > "suitable" port. We need to have the port numbers spread so that they do not > get re-used by any of the spamd child processes over a lifetime that is > determined by how long it can take for any DNS server to finally respond to a > query. The OS has no reason to randomize the ports, it can re-use a port > number > as soon as there is no active listener for it. Linux iterates through the available ports. Randomly selecting ports can easily steal a port that should have been available for something else. Responding to a DNS query after the client has timed out is a potential problem, but randomly selecting ports doesn't guarantee a fix either. It can't even guarantee a free port will be found within N attempts. If the ports used are iterative then the query ID (assuming the resolver is trusted; see below) can be based on time to filter out old responses. Can't a configuration option be added to let the OS assign a port? > Does anyone know if the big security fix for all DNS implementations in July > 2008 took care of this for us so using port 0 is now ok? See, for example this > article: > > http://news.cnet.com/8301-10789_3-9985618-57.html This is irrelevant when querying a trusted local resolver. Assuming there is an appropriate filter on incoming spoofed traffic. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
