I think so too; and I wouldn't be so strict on backwards compatibility there.
That behavior is a side-channel that defeats DNS privacy in some cases. E.g. I can query a record, watch you send an encrypted query, then query the record again, and tell what you queried. Within some probability at least. For that reason, It'd be worth experimenting with an implementation that does shuffle the results each time. On Fri, Jun 15, 2018 at 4:54 PM, Shumon Huque <[email protected]> wrote: > On Fri, Jun 15, 2018 at 5:55 PM Colm MacCárthaigh <[email protected]> > wrote: > >> >> Just a question on this: was the old/classic behavior really >> random/shuffled? Or was it that bind would "rotate" through iterations >> where the order was the same each time if you think of the rrset list as a >> ring, but with a different start and end point within that ring? (That's >> what's described here: https://docstore..mik.ua/ >> orelly/networking_2ndEd/dns/ch10_07.htm >> <https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm>) >> > > ISC veterans can confirm, but my recollection is that the earliest > implementations were indeed as described above - the response RRset was > cycled/rotated, rather than randomized. > > Shumon. > > -- Colm
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
