IainHull commented on code in PR #385:
URL: https://github.com/apache/incubator-pekko/pull/385#discussion_r1228025496
##########
actor/src/main/resources/reference.conf:
##########
@@ -1144,6 +1144,12 @@ pekko {
# Defaults to a system dependent lookup (on Unix like OSes, will
attempt to parse /etc/resolv.conf, on
# other platforms, will default to 1).
ndots = default
+
+ # The policy used to generate dns transaction ids. Options are
sequence, thread-local-random or secure-random.
+ # Defaults to thread-local-random similar to Netty, secure-random
produces FIPS compliant random numbers but
+ # could block looking for entropy (these are short integers so are
easy to bruit-force), sequence is the old
+ # behavior.
+ id-generator-policy = thread-local-random
Review Comment:
This is where Netty uses `ThreadLocalRandom` for transaction ids.
https://github.com/netty/netty/pull/4455/files
There is a paper about dns poisoning
https://dl.acm.org/doi/pdf/10.1145/3460120.3486219 it's actually quite easy to
brute force the transaction ids, some implementations randomise the source
port number but even with that they managed to brute force it in minutes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
