On 2016/10/13 22:55, Ted Unangst wrote: > 16 bit IDs don't offer much security. This is well known. A trick to encode > more bits into the query is to vary the case of the query name. It's case > insensitive, but all known servers echo it back exactly, case preserving.
Unfortunately not. Many do but there are some cases, especially with things like global-loadbalancer DNS servers, and firewalls doing DNS content inspection where there are problems (either for all records, or some records especially in-addr.arpa). Unbound had to add fallbacks for this (see the 'caps_fallback' bits in iterator/iterator.c). Some strategies for this are discussed in draft-vixie-dnsext-dns0x20-00.