https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6221
--- Comment #10 from Simon Arlott <[email protected]> 2010-01-27 10:45:41 UTC --- (In reply to comment #9) > (in reply to comment #8) > > I didn't reference the Dan Kaminsky vulnerability because of security > concerns, > so using a trusted filtered local server or whatever is not the issue. If you > go back through the complicated discussion in bug 4260 the point is to assure > that the 32 bit combination of port and ID do not get reused within the > possible lifetime of a DNS request and its reply. The insight we got from that > bug was that there really are so many DNS queries that a 16 bit space just > from > the ID is not enough to avoid collisions. It is the same problem that the Specifically, it would need to be lots of queries that are timing out. Successful queries will not cause problems. > Kaminsky vulnerability was based on, which is why I am wondering if the > solution to that vulnerability, which should be pretty universally deployed > now, has now spread the port/ID combination that is seen in practice out over > more of the possible 32-bit space, rendering the code that we put in no longer > necessary. The solution to the vulnerability is to use an unpredictable source port on the client side, so it has no effect on SpamAssassin's need to avoid receiving a response to an older request. On any deployment where there is an actual need to handle huge numbers of DNS queries, the local nameserver should have an appropriate query timeout (ideally this value would be in the request message but it's not). This would work much more reliably than pseudo-random port/ID selection because the nameserver wouldn't be replying to queries that SA had given up on. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
