Colm, At 2016-04-11 10:59:02 -0700 Colm MacCárthaigh <[email protected]> wrote:
> On Mon, Apr 11, 2016 at 10:54 AM, Robert Edmonds <[email protected]> wrote: > > > Unbound actually does support both fixed and randomized, and the entropy > > is taken from an interesting place: the ID field from the query. > > I think if there are more than 8 RRs, that won't be enough entropy to > generate all possible permutations. At first I thought this was shocking. SHOCKING. But if the goal is merely to mix up the answers a bit so that software that uses the first RR does not always get the same answer, then it is Good Enough(tm). Even with a fully-predictable QID this is fine. It's only when you consider the order of the RR private that this becomes a concern. I admit I don't fully understand how information leakage is supposed to happen. But if it is a valid concern then probably a cryptographically secure random number generation is needed, and needs to be documented. Cheers, -- Shane
pgpP93rHJOgkH.pgp
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
