IainHull commented on code in PR #385:
URL: https://github.com/apache/incubator-pekko/pull/385#discussion_r1228020233
##########
actor/src/main/resources/reference.conf:
##########
@@ -1144,6 +1144,12 @@ pekko {
# Defaults to a system dependent lookup (on Unix like OSes, will
attempt to parse /etc/resolv.conf, on
# other platforms, will default to 1).
ndots = default
+
+ # The policy used to generate dns transaction ids. Options are
sequence, thread-local-random or secure-random.
+ # Defaults to thread-local-random similar to Netty, secure-random
produces FIPS compliant random numbers but
+ # could block looking for entropy (these are short integers so are
easy to bruit-force), sequence is the old
+ # behavior.
+ id-generator-policy = thread-local-random
Review Comment:
It could be, but it comes with a lot of downsides. Its very easy to run out
of entropy when a container starts which will block the startup of your
application trying to generate the transactions id for DNS queries to join the
cluster.
The other thing to note is that we are generating a short, it is trivial to
brute-force 32k numbers if an attacker wanted to break DNS SecureRandom would
not prevent that.
IMO the only reason to enable SecureRandom would be if you require it for
FIPS.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
