On Sun, 8 Sep 2013, Aaron Campbell wrote:
this sounds vaguely similar to unbound's "harden-referral-path" option,
though it applies to all lookups.
I researched this, and found that it was first described here:
http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01#section-3.3
The option is currently marked "experimental" due to not being RFC standard,
and performance concerns. If the option were applied only to large responses
(specifically to mitigate this type of attack), that would reduce the performance impact.
This option has been enabled for years in the RHEL/EPEL and Fedora
standard configurations of unbound.
That would be very interesting if Unbound were the default DNS server in these
dists, but I assume it is BIND?
RHEL7 will feature unbound for users who want to use DNSSEC on the
desktop, along with dnssec-triggerd. As for what the "default DNS
server" is for creating a DNS infrastructure - either one will be
available.
bind10 will not be in RHEL7, as it uses an un-certified crypto library
(botan) but bind9 is still included.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
