https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6338
Summary: Use of Bit 0x20 in DNS Labels to Improve Transaction
Identity
Product: Spamassassin
Version: 3.3.0
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Libraries
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=4671)
--> (https://issues.apache.org/SpamAssassin/attachment.cgi?id=4671)
patch implementing the dns0x20 feature
draft-vixie-dnsext-dns0x20
( http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 )
Abstract
The small (16-bit) size of the DNS transaction ID has made it a
frequent target for forgery, with the unhappy result of many cache
pollution vulnerabilities demonstrated throughout Internet history.
Even with perfectly and unpredictably random transaction ID's, random
and birthday attacks are still theoretically feasible. This document
describes a method by which an initiator can improve transaction
identity using the 0x20 bit in DNS labels.
The attached patch implements the draft-vixie-dnsext-dns0x20
when enabled by:
dns_options dns0x20
Documented as:
=item dns_options opts (default: empty)
Provides a whitespace-separated list of options applying to DNS resolver.
Available options are 'rotate' and 'dns0x20'.
Option 'dns0x20' enables randomization of letters in a DNS query label
according to draft-vixie-dnsext-dns0x20-00, decreasing a chance of
collisions of responses (by chance or by a malicious intent) by increasing
spread as provided by a 16-bit query ID and up to 16 bits of a port number,
with additional bits as encoded by flipping case (upper/lower) of letters
in a query. Should work reliably with modern resolvers - do not turn on
if you see frequent info messages "dns: no callback for id:" in the log.
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
